tags:

views:

57

answers:

2
+2  Q: 

How do i get a verified location using HTML5?

I've been playing with HTML5 location lookups recently and its relatively straightforward to pull someones location from a device like an iPhone.

I want to write an app that uses location data, but its important that the location be factual. In other words I need to prevent people from authoring a fake post to the backing website / web service with mocked up GPS coordinates.

Is there anyway to collect GPS coordinates from a mobile device using the HTML5 geolocation apis and securely transmit that back to a web service in a way that someone wouldn't be able to author a post with the same data and "game the system" so to speak?

+4  A: 

Not without some serious encryption on the payload on the client. Which if there is money involved, someone will reverse engineer and figure out how to create valid payloads themselves. Remember if there is money or fame involved then somebody will think the effort to do something like this is "worth it". If your web service is public and not using some kind of encryption nothing on the client will ensure that someone with a network connection can't sniff your protocol and fake whatever data they want. And SSL won't cut it. Anyone can proxy the SSL connection on their local network decrypt the payload and inspect it to their hearts content.

fuzzy lollipop  2010-06-22 20:31:28
ya that's kinda what i figured. I'll have to come up with a way to automatically detect potential cheating then instead of protecting against it. Thanks for the input.
JoshReedSchramm  2010-06-22 22:03:19
+3  A: 

No. Completely agree with the answer from fuzzy lollipop. If you’re talking to a remote machine, the data can always be faked. Always always. What makes you certain you’re even talking to a mobile device at all? The User-Agent string? Pfft, it can be faked. Talking to a GPS? Pfft, could be coming from a predefined path. Talking to a web browser? Pfft, could be a bot, or some other malware.

And don’t think encryption (i.e. HTTPS) is going to help you. The client could edit any of your HTML, CSS, or JavaScript on-the-fly — take Firebug or Greasemonkey for example.

The reasons why you can’t trust the client are the same as the reasons why exploits such as SQL or HTML injection are so common. Ever heard the phrase “the customer is always right”? Well, the customer may be right, but the client is always untrustworthy.

The system is there to be gamed. As flaws are discovered, you patch them one by one. It’s more like leapfrog, rather than achieving the holy grail. Bruce Schneier’s quip “security is a process, not a product” comes to mind. Asking for a system that “can’t be gamed” is missing the point. What you need to be doing is creating a system where the server sanitises the data, and/or rejects bad data — fuzz testing is not a bad idea, either.

That’s about the best you can do without shipping custom untamperable mobiles to your customers with the OS in ROM, and the inside sealed with epoxy.

Jeremy Visser  2010-06-23 00:02:32
sealing something with expoxy doesn't do a damn thing to stop man in the middle software network attacks, that is very 1980's mentality trying to lock down the hardware physically. it is all about the software now.
fuzzy lollipop  2010-06-23 01:21:21
Wasn’t suggesting that Josh epoxy his mobiles (note I said “untamperable mobiles”, something that clearly does not exist). Just trying to emphasise my point that anything can be MITM’ed along the way. We’re in agreement — trust me! ;-)
Jeremy Visser  2010-06-23 04:08:09

related questions

How can I modify HTML Canvas colors using an interval loop?
How does the live, real-time typing work in Google Wave?
Capture HTML Canvas as gif/jpg/png/pdf?
Javascript Canvas Serialization/Deserialization?
iPhone WebApp cache
Limit text to the width of sibling image / auto width in CSS
HTML Anchors with 'name' or 'id'?
How do I fix shocking/lagging movement in this ajax based multiplayer example?
Why are (X)HTML 5 and XHTML 2 separate standards?
HTML 5 Reference Implementations
Will HTML 5 validation be worth the candle?
Is there an alternative of ajax that does not require polling without sever side modifications?
[JAVASCRIPT/HTML5] Howto equal Microsoft.Matrix filter to canvas rotate?
Canvas rotate from bottom center image angle?
Howto avoid image cutoff with <canvas> rotate ?
XHTML - Is writing self closing tags for elements not traditionally empty bad practise?
Does my page have to have the HTML5 doctype to access sessionStorage
Can HTML5 sessionStorage be written to disk?
Does Internet Explorer 8 support HTML 5?
HTML 5 versus XHTML 1.0 Transitional?
Is it time to start using HTML5?
Where can I find some good information about how the new canvas HTML element works?
Which browser has the best support for HTML 5 currently?
What's the key difference between HTML 4 and HTML 5?
Any reason not to start using the HTML 5 doctype?