views:

71

answers:

3

Newbie question.

I'm trying to make a mobile site using html5's geolocation (I know technically it's a separate spec, but still) to identify user's current position and post that to a web service which then does something. Basically a browser version of Four Square.

Is there anyway that I can verify that the user is really at that location? I want to prevent someone from making something, say a console app, that sends fake lat/long to the service.

Any suggestion is welcome, even if it doesn't get me there 100%. Thanks, SO community!

+3  A: 

The short answer is no. All you can know for sure is where the browser claims to be. A sufficiently determined user could fake this.

A feature like this is really best used for convenience, not for security.

Jon B
You could verify it somewhat on the server-side by using IP-based geolocation, since there is no way to fake it other than by spoofing your IP (which does not work for 2-way communication across subnets and is nigh impossible to do across the internet) or by using a proxy. Though I don't know how accurate IP-based geolocation is for mobile devices.
Lèse majesté
yeah, that's pretty much what i thought too. bummer@lese, good call with IP checking, definitely an improvement :)
Yellowmoon
A: 

Ask the user to take a photo of the area, and compare that with Google Street View images near their stated location.

Or no. You might be able to get location information from DNS LOC (RFC1876), which might be accurate to within a few tens of kilometres, and only then if the DNS information is also accurate.

Graham Lee
Is DNS LOC implemented anywhere? Seems like a major breach of privacy. At least HTML5 geolocation can be disabled in the browser configuration.
Lèse majesté
Given that the hostmaster has to choose to serve up the DNS LOC information, I don't see how it's any less private than other opt-in location sharing.
Graham Lee
Is each user their own hostmaster? Can I disable this service as easily as I can change the settings of my browser? Is this geolocation info accessible by only the applications I'm running or by anyone who can perform a DNS lookup?
Lèse majesté
@Graham, hehe, sometimes human eyes are harder to fool than machines :) unfortunately, it'd probably be too labor intensive
Yellowmoon
A: 

Yes - I know there is because GoWalla (available for free at the iPhone app store) requires a user to be at a given location before checking-in.

Unfortunately I'm not familiar with how they did this.

Jim G.
If this is an application, I'm sure they are accessing the GPS directly. He is asking about doing this in HTML5.
monksy
My guess would be, and this is a guess at best, they probably use the cellular tower information and or the GPS information in conjunction with IP based geolocation.
Deep Kapadia
@Deep, IP based geolocation is a good idea. Any way I can get cell tower/GPS info from browser/html5?
Yellowmoon
Probably not via HTML 5 but most mobile toolkits may have something.
Deep Kapadia