cgewecke
commented
8 years ago Another idea: Just like we can collect rssi from our connection to the device and independently verify proximity, we can collect surrounding MAC address data and demand the client match it . Possible w/ Android but not possible w/ iOS (apparently).
Geolocate is a good candidate for a 'difficult to spoof' location data confirmation since data coming from the API is derived from a database of wireless MAC addresses, cell phone tower data etc. Jailbreaking and using a private api against a compiled client doesn't work (although jailbreaking, decompiling and then emulating the animist client might). Only successful attempts seen online involve wrapping phone in aluminum foil to blot out all radio signal, then piping fake signal in through a hole.
In the design below, the bluetooth connection would have to be spoofed using a real-time relay AND the hijack geolocation. As long as the data is actually coming from the Google API it's probably valid, although in some cases it may not be very precise. Downsides to this source are cost: 2500 free calls per api key and then $.50/1000 calls after that, up to 100,000 (Retail). Only 5 thousandths of a penny each but ultimately the client app would need to hand their card over to them and pay for this. Design issues are:
a). Animist endpoint needs to know its location in gps coordinates. b). Algorithm to determine whether data received from client is 'close enough', how to handle super imprecise data, etc. c). A channel to send the raw data. d). A channel to send that data signed by an 'api key'. e). A place in the contract to store the api key.