iOS detect mock locations

Question

Currently I'm working on an App which geolocation capabilities are its most important feature. Actually we're very concerned about getting GPS values mocked up. I've read a lot of comments regarding mocking locations on both iOS and Android and most of them tend to explain an unjailbroken iOS device can't mock locations, but the truth is I've created another project, with a GPX file to mock up location on that project and when executed, the entire system believes I'm in another city. All my locationManager callbacks tell me I'm on the mocked location with the proper timestamp, faking the entire information like it was real. That breaks entirely the purpose of our App, as the user can fake where has been.

Is there any way to detect this behaviour and prevent it? I'm assuming a closed target, the attacker must be a developer in order to this exploit to work, but alas, it's still there

Answer 1

Since iOS15 arrived apple introduced two new properties in CLLocation:

    /*
     * isSimulatedBySoftware
     *
     * Discussion:
     *  Set to YES if this location was detected as being generated by a software simulator, such as Xcode
     */
    open var isSimulatedBySoftware: Bool { get }

    
    /*
     * isProducedByAccessory
     *
     * Discussion:
     *  Set to YES if this location was generated from an external accessory, such as CarPlay or an MFi accessory
     */
    open var isProducedByAccessory: Bool { get }

These two properties are located in:

/*
 *  sourceInformation
 *
 *  Discussion:
 *    Contains information about the source of this location.
 */
@available(iOS 15.0, *)
open var sourceInformation: CLLocationSourceInformation? { get }

I've tested this with virtual location generators like third party apps and xcode and isSimulatedBySoftware was true in every cases. I will order an external GPS device to make sure that the other is working too (hopefully :D) and will update my answer then.

Answer 2

I don't believe it's possible to detect location simulators.

An easier way to fake location is to use an external bluetooth or serial connection to a GPS simulator that outputs NMEA sentences. You don't need a developer account although you do need an Android phone to run the simulator.

The iPhone will auto detect an external GPS and CLLocationManager will use the external GPS sources in place of own internal GPS. It's really handy for lab testing of mapping and navigation apps.

Answer 3

It is also possible to spoof iPhones with a software-defined radio and gps-sdr-sim from GitHub. You use gps-sdr-sim to generate I/Q files that contain GPS signals and use the SDR to transmit those samples over-the-air. This type of spoofing is much harder to detect.

Answer 4

Question: Is there any way to detect this behaviour and prevent it?

There actually are 2 separate questions: (1) how to detect, and (2) how to prevent it?

Answer for (1): The simulated location behaviour is quite different from the real one at call back locationManager:didUpdateLocations:

[simulated locations] callback returns almost immediately after calling startUpdatingLocation, and then repeatedly called every exactly one second. Also the locations are all the same if we choose a fixed location. Here is an example:

location: <+51.50998000,-0.13370000> +/- 5.00m (speed -1.00 mps / course -1.00) @ 30.03.15 14:12:48 Час: Індокитай
location: <+51.50998000,-0.13370000> +/- 5.00m (speed -1.00 mps / course -1.00) @ 30.03.15 14:12:49 Час: Індокитай
location: <+51.50998000,-0.13370000> +/- 5.00m (speed -1.00 mps / course -1.00) @ 30.03.15 14:12:50 Час: Індокитай
location: <+51.50998000,-0.13370000> +/- 5.00m (speed -1.00 mps / course -1.00) @ 30.03.15 14:12:51 Час: Індокитай
location: <+51.50998000,-0.13370000> +/- 5.00m (speed -1.00 mps / course -1.00) @ 30.03.15 14:12:52 Час: Індокитай
location: <+51.50998000,-0.13370000> +/- 5.00m (speed -1.00 mps / course -1.00) @ 30.03.15 14:12:53 Час: Індокитай
location: <+51.50998000,-0.13370000> +/- 5.00m (speed -1.00 mps / course -1.00) @ 30.03.15 14:12:54 Час: Індокитай

[real locations] It takes a few seconds (if first run) to call back and then randomly re-call. Also you can see the when significant changes among those locations even if you don't move at all. Here is an example:

location: <+10.77219361,+106.70597441> +/- 67.39m (speed -1.00 mps / course -1.00) @ 30.03.15 14:16:26 Час: Індокитай
location: <+10.77213011,+106.70591088> +/- 65.00m (speed -1.00 mps / course -1.00) @ 30.03.15 14:16:31 Час: Індокитай
location: <+10.77219507,+106.70587790> +/- 65.00m (speed -1.00 mps / course -1.00) @ 30.03.15 14:16:38 Час: Індокитай
location: <+10.77214753,+106.70587741> +/- 65.00m (speed -1.00 mps / course -1.00) @ 30.03.15 14:16:49 Час: Індокитай

Answer for (2): To prevent, I just work around for now, we need to look up at least 3 locations to decide it's simulated or real location.

Remind, it's just temporary solution to detect simulated locations. In the future, Apple may change the behaviour.

By the way, I've also tried to disallow simulate location on xCode at scheme: Unfortunately, it still allows simulated locations.

Some more issues you may know here. Hope it help.