How does server verify geolocation data received from client?

Question

How do location-based apps securely verify client locations on the server-side?

Location data is vulnerable to manipulation, with users using VPNs or analyzing network history to send spoof API requests with false location information.

HMAC signatures offer promise, but they can even mimic the shared secret key exchange (Diffie-Hellman) used for HMAC by analyzing network historys.

Authentication tokens don't address this issue, and methods like limiting APIs or implementing honeypots aren't fundamental solutions.

Any insights or solutions for this issue?

Answer 1

Any type of information sent by the client is something the client may or may not manipulate. Based on the HTTP request content there is nothing that will be 100% reliable and from the perspective of data privacy we should be thankful it is like that.

You may maybe try to geolocate a certain IP address that is communicating with you. Things like proxies, VPNs or TOR will bypass such measures and the geolocation will never be accurate.

Answer 2

No methods are bulletproof, but our approach is to grab the visitors IP address as reliably as possible:

function getIP() {
    // If using Cloudflare
    if(isset($_SERVER['HTTP_CF_CONNECTING_IP']))
        return $_SERVER['HTTP_CF_CONNECTING_IP'];

    // If behind a firewall
    if(isset($_SERVER['HTTP_X_SUCURI_CLIENTIP']))
        return $_SERVER['HTTP_X_SUCURI_CLIENTIP'];
    elseif(isset($_SERVER['HTTP_INCAP_CLIENT_IP']))
        return $_SERVER['HTTP_INCAP_CLIENT_IP'];

    // Other headers can be forged by proxy servers, so we ignore them and just check REMOTE_ADDR at this point
    if(isset($_SERVER['REMOTE_ADDR']))
        return $_SERVER['REMOTE_ADDR'];

    return false;
}

Then pass that IP to our IP lookups API, which returns a JSON containing, among other things, the country it belongs to. If the IP is of a known public proxy, the JSON includes this too, to help differentiate between visitors who really are from the determined country, and visitors who are just using a proxy in that country. An IP that isn't flagged could still actually be a proxy though - it's not always possible to tell.