Hello, here is my problem :
I have a mobile app, and I want to give the user some information depending on their position ( think something like FourSquare ). But how to make sure the user position is real ?
I mean let's say the client uses a request to the server via http :
a malicious user could easily modify the values.
Then how to make sure values are accurate ?
You can not. As you've already figured the client can always manipulate the requests sent to the server.
The only thing you can do on the serverside is to filter unlikely coordinates (for example on the sea, depending on the meaning of your coordinates).
Someone could trick/fake the phone into setting the GPS co-ords to somewhere else. As @JochenJung says, it is always possible to change the request.
I have been thinking about the same thing, but fear it is impossible. Some ideas I had:
You can always use a pgp encryption which would be in the app, then send a packet to server which will decode the message and you will know it was the program that sent a request.
So if user wants to fake the coordinates he will need to hack your software that is on the phone to actually do that.
Hope that will give you some ideas...
On the other hand you can issue a hash on first contact to the server(authentication or something like that) and have some simple math on your mobile application: x*your_hash and y*your_hash or something like that (should be more complicated as it is easy to guess) then on the server: http://www.myserver.com/getdata?lat=x&lon=y then: on the server side of the app: lat = lat/your_hash lon = lon/your_hash now if the lat/lon is off the grid, so as JochenJung said somewhere in the sea... you can ignore the request. and just because you want to identify which user has sent in request you will need some identification on the query string, that can be used as additional variable to create some better result.