Is it possible to ensure client data is correct?

To put it simply: There is NO way

As you already determined, a request can easily be forged. Even if using a custom encryption, your users can decompile your code and find out how it's done.

The only way to prevent users from tampering and decompiling your code is by not handing it to them.

Often this is done by providing SaaS products that run server sided.

All you can do is try to obfuscate your code if you need to serve the application as such.

But note: Security through obscurity is NOT secure.

P.S: Even if your users do not tamper requests: GPS coordinates of mobile devices can easily be spoofed.


Generally there is no absolute way to do this. You have to consider incoming data as unstrusted.

There's a few things you can do however to rule out obviously bad data. See https://security.stackexchange.com/a/232943/200347 Other answers for that question contain further useful information for the client side implementation, if you control that.


I will go against the grain here and say that there are ways to do this effectively. But it is difficult.

Instead of just sending GPS coordinates to your server by themselves, send it along with a bunch of other data, like nearby WiFi access points, barometric pressure, and data from the magnetometer.

Then you then need to build a type of heuristic to analyze this data. Check the altitude, check the pressure, etc. Compare it with other data you get in similar regions. Make sure the exact same WiFi access point composition is not the exact same as another region across the world. (If it is, immediately ban the consumer).

It might not be 100% fool proof, but if you have enough resources to validate sensor data from the consumer, you can make it very difficult for them to just do a simple GPS spoof.