Mobile Application Security : Mobile Geolocation - Geolocation Methods & Geolocation Implementation

8/25/2011 3:10:35 PM

Geolocation Methods

Geolocation on mobile devices has grown from being used solely for emergency and law enforcement purposes to being an integral component of consumer mobile applications. Once only performed by triangulation of cell towers, modern mobile OSes have expanded to support retrieval of positional data via wireless survey or GPS systems, giving an enhanced degree of precision and faster update times. Different methods have their own strengths and weaknesses, along with variations in accuracy.

Tower Triangulation

Accuracy: 50m–1,000m

Tower triangulation is the oldest widely used method of geolocation via cell phone. This method uses the relative power levels of radio signals between a cell phone and a cell tower of a known location—this of course requires at least two cell towers to be within range of the user. This service is used for the E911 system in the United States, transmitting location data when emergency calls are made. With user permission, however, the phone can be instructed to transmit tower triangulation data to phone applications.

Because this requires that the user be near to multiple cells, and because signal strength can be affected by many factors, tower triangulation is a fairly inexact method of positioning (see Figure 12-1).

Figure 12-1. Cell phone tower triangulation


Accuracy: 5m–15m

Using satellite signals instead of cell phone or wireless infrastructure, GPS service is often available at times when other methods are not. However, satellite acquisition is generally impaired when the user is indoors, making the use of GPS alone inadequate for some mobile applications. Additionally, initial GPS location information can take several minutes to acquire.

An advantage of GPS is that it can provide continuous tracking updates, useful for real-time applications, instead of just one-time lookups.

Assisted GPS works by providing an initial location obtained via another means (either tower triangulation or 802.11) to the GPS receiver, to reduce satellite acquisition time and correct for signal noise. This makes GPS somewhat more viable for indoor use; however, acquiring positional data this way still takes upwards of 10 seconds, still making it a relatively slow method.


Accuracy: 10m–200m (but potentially erroneous)

The iPhone was the first smartphone to add this additional method for geolocation, using an API made available by Skyhook Wireless. This location method works by doing a survey of any nearby 802.11 (Wi-Fi) wireless access points and then submitting data about them (presumably MAC address and SSID) to a web service, which returns coordinates from what is essentially a very large “wardriving” database. This allows for devices without GPS to provide potentially highly accurate location data.

This approach has the advantage of being both faster and much more accurate than cell tower triangulation, but has a couple of drawbacks. Because location data relies on specific wireless APs, if those APs move, location data can be drastically wrong. Because the wireless APs were listed in the Skyhook database, any attempt to use location services near the offices reported the company as being in the previous location, making it difficult to find places to go to lunch. A more extreme example is when attending a security conference in Tokyo, one of the authors’ iPhone 2G reported being in Vancouver, B.C. (the last place the conference APs were used).

The Skyhook software development kit (SDK) has also recently become available for Android, but is not yet integrated in an official capacity. More recently, however, Google launched its “Latitude” service, which provides a newer implementation of Skyhook’s technology, combining all of the preceding methods.

A more extensive evaluation of the strengths and weaknesses of this method can be found at

Geolocation Implementation

Each platform treats geolocation services differently, with different methods of requesting user permission, ranging from asking every launch of the application to leaving notification up to the developer.


As with most services on Android, permission to use the geolocation features is requested via the program manifest and is granted by the user at install time. Either coarse or fine precision can be requested, using the ACCESS_COARSE_LOCATION (for cell triangulation or Wi-Fi) or ACCESS_FINE_LOCATION (GPS) permission (see Figures 1 and 2). These permissions are requested and controlled separately.

Figure 1. A permissions request for coarse and fine location services

Figure 2. A permissions request for only fine location services

The android.location package provides the LocationManager service, which can be called to return both geographic location and current bearing, using the internal compass (if available). Listing 1 provides an example of using the LocationManager service in Android.

Listing 1. Using the LocationManager in Android
Criteria mycriteria=new Criteria();
String myprovider=locationManager.getBestProvider(mycriteria, true);
Location mylocation=locationManager.getLastKnownLocation(myprovider);

In addition to this, the LocationManager can be used to register for positional update notifications as well as for an intent to be triggered when a device comes within a specified proximity of a set of geographic coordinates. See the locationManager.requestUpdates and locationManager.addProximityAlert methods for more information. It is worth noting that on some platforms geolocation is guaranteed to be available, but there is no such mandate on Android-powered devices.

More information on the LocationManager can be found on the Android developer site at


Geolocation on the iPhone requires user approval every time an application that uses geolocation APIs is launched (see Figure 3). The CLLocationManager returns a CLLocation object. There are several constants developers can choose from when requesting locational data:

Figure 3. The iPhone location permissions dialog

const CLLocationAccuracy kCLLocationAccuracyBest;
const CLLocationAccuracy kCLLocationAccuracyNearestTenMeters;
const CLLocationAccuracy kCLLocationAccuracyHundredMeters;
const CLLocationAccuracy kCLLocationAccuracyThreeKilometers;

Use the least precise measurement that will meet the functionality requirements. For example, to merely determine what city a user is in, you should use either the kCLLocationAccuracyKilometer or kCLLocationAccuracyThreeKilometers constant.

The method used for geolocation is abstracted and not controllable by the developer, but any combination of Wi-Fi, tower triangulation, and GPS (on post-2G devices) may be used.

Windows Mobile

Windows Mobile has no mechanism for a user to control geolocation API access on an application-by-application basis—all applications are allowed to access this data if location services are enabled on the device, via the GPS Intermediate Driver API’s GPSOpenDevice and GPDGetPosition.

Most View
Design for Mobile : Sketches (part 2) - Overview and Detail, Finding Sightings by Celebrity, Adding a Sighting
The Ideal OS (Part 2)
Build A Home Theatre PC (Part 4)
Hart Audio Evo1 Active Loudspeaker Review (Part 1)
Kobo Aura HD - The Best eReader For Book Fanatics
State-Of-The-Art Standards – SATA Express (Part 2)
HTC 8S Review - A Cheap Windows 8 Device That Doesn’t Compromise On Style (Part 2)
Windows Server 2012 : Managing and Troubleshooting Hardware (part 3) - Installing new devices
The Modern Office (Part 3)
Take Control Of Autoplay Settings
Top 10
Creating Interactive Windows Services : Services and Polling - Using Configuration Files
Creating Interactive Windows Services : Services and Polling - Updating Tutorials.ThreadFunc
Windows System Programming : Exception Handling - Vectored Exception Handling
Windows System Programming : Exception Handling - Example: A Console Control Handler
Windows System Programming : Exception Handling - Console Control Handlers
DirectX 10 Game Programming : DirectInput - I Need Input
Microsoft Enterprise Library : Relieving Cryptography Complexity - Diving in with an Example (part 2) - Obtaining and Comparing Hash Values
Microsoft Enterprise Library : Relieving Cryptography Complexity - Diving in with an Example (part 1) - Encrypting and Decrypting Data Using A Symmetric Provider
Microsoft Enterprise Library : Relieving Cryptography Complexity - How Do I Use the Cryptography Block?
Microsoft Enterprise Library : Relieving Cryptography Complexity - What Does the Cryptography Block Do?