保护您的 Android 应用免受模拟位置的影响
我正在设计一种基于位置的服务,其中可靠性发挥着重要作用。 我希望我的用户知道其他用户提供的位置是真实的。
我研究了一些模拟位置,并注意到 线程应用LocationSpoofer。我目前没有取得 root 权限的手机,但它指出,取得 root 权限后,即使没有设置,它也可以模拟位置。
有什么已知的方法可以防止这种情况发生吗?我可以使用一些简单的启发式方法来验证用户是否在 30 分钟内从法国前往夏威夷,但我宁愿拥有完整的保护。
先谢谢了!
I'm designing a location-based service where reliability plays a role.
I wish my users to know that the provided location of other users is real.
I researched mock locations a bit, and noticed in this thread the app LocationSpoofer. I don't have a rooted phone currently, but it states that when rooted it can mock locations even without the setting.
Is there any known way to protect against that? I could use some simple heuristic to verify that the user didn't travel from France to Hawaii in 30 minutes, but I would rather have complete protection.
Thanks ahead!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
而不是长评论:
“可靠性发挥作用”
只要您为“可靠”输入提供可靠的输出,我认为您就可以不用处理“欺骗”或虚假输入。如果您将数据存储在持久存储中,您可以处理“可疑”数据的情况。
即在数据上定义和应用场景,以识别诸如“用户在 30 分钟内从法国旅行到夏威夷”之类的情况,并以适当的方式处理此类情况。或者您甚至可以拒绝不切实际的数据。
Instead of a long comment:
"reliability plays a role"
As long as your provide reliable output for "reliable" input i think you will be OK without having to handle 'spoofed' or fake input. In case you have data stored in persistent storage you could handle cases for 'suspicious' data.
That is define and apply scenarios on your data to identify cases like "the user traveled from France to Hawaii in 30 minutes", and handle such cases in an appropriate way. Or you could even reject data that are not realistic.
从安全角度来看,您应该假设来自客户端验证过程的任何数据都不可信。数据可能会被有意或无意地修改,而这超出了您的直接控制范围。
如果您想防止位置欺骗,那么我建议您进行服务器端检查。
From a security point of view you should assume that any data coming from a client-side validation process cannot be trusted. The data could be intentially, or unintentionally, modified and that is out of your direct control.
If you want to protect against location spoofing then I would recommend server side checks.