Secure user identification in Android app without sign up or login

Question

My app grants privileges depending on the user's location. If a device does not report a location back to the server, its privileges at the server are none.

I want to make it as hack-safe as possible, so that privileges are strictly restricted by the device's current location.

Good progress can be made if I can identify the user/device accurately. Then I can block device X if it reports being in New York now, and in Los Angeles 10 minutes later (physically impossible).

There's no sign up. Users only need to solve a captcha to start using the app. That's it!

Is there a way to prevent someone from using the Android emulator to impersonate 20 different devices, each in a different city, and all sending spurious data to the server as if they were real uses? If not, is there a way to make it really hard for hackers to do so?

Answer 1

You are pretty much out of luck. Devices can lie about their location, always. If you have some way of veting users(i.e I can't keep signing up for free accounts) and can see if they do this, you can black list them as you say. Just have people "login" or something equivalent on first use and store their credentials. You could try to use like the IMEI number or something if you had the privileges to get it, but i suspect that someone either in an emulator or with say cyanogen mod could change that too, but it would be harder.

There is one caveat to this, if you are trying to do proximity testing for say if two friends are near each-other, you can do reasonably strong cryptographic assurances of location. this can be done. See this paper.

For the general impossibility result on doing really high security location proofs see this rather dense paper. Admittedly, you can probably do something that is still not trivial to break, but not easily.