How do location-based apps avoid getting cheated by emulated GPS?

There are many ways to track user's location on a mobile device (I will go into how that works later).

None of the tracking methods are particularly easy to spoof. It can be done but it is simply outside of the realm of the average user as it generally requires either a modified device (physically or programmatically) or external gear.

Moreover, it is far easier for developers to simply tie multiple forms of tracking with simple logic (IE you can only 'check in' x number of times within timeframe y) than it is for a hacker to spoof an app like foursquare and get that 5% discount on dinner. Once again, it can be done, but [my theory is] so far it is not economical to hackers.

As promised, here are a few of the big technologies leveraged in geographic tracking:

  • GPS Reporting. This is probably most familiar to you. It is the most 'expensive' report because it requires relatively large amounts of power to read several GPS satellites. A pure GPS system is rarely used on mobile devices today. GPS devices can be spoofed programmatically (by changing the software's call to the GPS driver's position) even without modifying a device at all (as seen here).
  • GSM Reporting. This is perhaps the most common way your location is tracked through the day while you are moving around. The concept is simple. Your phone, with normal messages to the cell towers nearby, triangulates your position at a given time. This method is extremely hard to spoof without external hardware or seriously altering your phone's functionality (IE if you spoof a cell tower then yes you are 'not tracked' geographically, but you also cannot make phone calls). Additionally, cell traffic is encrypted. You could potentially spoof the access point where the apps software talks to the phone's cell tower data driver, but that is also difficult to say the least.
  • LAN Reporting. This is a pretty cool concept because it provides high levels of accuracy indoors (something that has traditionally been an issue). This requires much setup but at a minimum would allow apps to talk to registered wifi hotspots to confirm your location based on which wifi you are connected to. This is theoretically possible to spoof but it would largely depend on the levels of encryption for the legitimate connection's signature.
  • WAN Reporting. This is nothing more than simple IP address reporting. This is perhaps the easiest to spoof, but I put it in here for completeness as it is very common to mobile friendly sites.
  • Others (Bluetooth, RFID, Inertial nav, experimental, etc) There are quite a few other methods out there. One of my favorites is Inertial Navigation where there are no external transmissions (thus potentially very difficult to spoof) as it uses internal sensors and map to ascertain your position. This is seen in missile guidance systems as well as some apps. Life360 for instance uses a variation of this as it uses very little power (all the sensors are already active).

Other things to remember:

  • Developers can leverage any number of these technologies, thus making an app even harder to spoof.
  • Most location data is stored on a mobile device (and sometimes in many places) until explicitly deleted. Thus a developer can (potentially) access previous location data points. So if you say you were at cafe mama's 20 times todays and the app simply talks to siri to find out your last geo-data point was 100 miles away, the app will wonder...
  • Law Enforcement would have far greater ability to determine your real location so just because you may have spoofed an app doesn't mean you should bet your life on it (some comments elsewhere suggested that you could use this spoofing nefariously, so I thought I'd toss this in here).

For Ingress, Google's global wargame, a range of anti-spoofing measures are used. Google are keeping quiet about the full range, but two that have been demonstrated are:

  • Speed limitation: 40mph maximum allowed in game
  • Corroborating measures: cross referencing wifi SSID's received with their location database

The short answer is that (as far as I'm aware) it isn't possible to perfectly stop location emulation on open platforms (e.g. Android). Other more restrictive platforms (e.g. non-jailbroken iOS/Windows Phone) don't tend to suffer as much from these problems as they don't allow users the same level of freedom in terms of the types of applications they can install.

What software vendors can do is try to reduce the impact and detect people mis-using this feature. As an example, one way of doing this might be to analyze the users positions and if they move too quickly, assume that they are using some form of GPS spoofing/emulation.