避免日志伪造漏洞

In the Navigine team, we’ve been providing indoor and outdoor positioning mobile technologies that enable advanced indoor navigation and proximity solutions for eight years.

在Navigine团队中，我们提供室内和室外定位移动技术已有八年之久，这些技术可实现高级的室内导航和邻近解决方案。

Today we want to discuss a topic relevant to tracking people’s location. This is primarily due to COVID, however, there are a lot of those who want to track your location — such as advertising networks in your applications. It may also be useful if you’re developing an application that uses the user’s location. At the end of this article you will find a link to an open-source example of the fake GPS app.

今天，我们要讨论与跟踪人们的位置有关的主题。 这主要是由于COVID引起的，但是，有很多人想要跟踪您的位置-例如应用程序中的广告网络。 如果您要开发使用用户位置的应用程序，那么它也可能很有用。 在本文的结尾，您将找到一个指向虚假GPS应用程序的开源示例的链接。

By the way, we want to note that cheating is not a good decision and there are ways to get your real location — for example, by using your cellular provider.

顺便说一句，我们要指出，作弊不是一个好的决定，并且有多种方法可以获取您的真实位置，例如，通过使用蜂窝电话提供商。

跟踪技巧 (Tracking Tricks)

Let’s start by understanding how applications can track us. Here are the main two location providers in Android.

让我们从了解应用程序如何跟踪我们开始。 这是Android中主要的两个位置提供程序。

• GPS — (GPS, AGPS): Name of the GPS location provider. This provider determines location using satellites. Requires the permission

  android.permission.ACCESS_FINE_LOCATION

  .

  GPS — (GPS，AGPS) ：GPS位置提供者的名称。 该提供商使用卫星确定位置。 需要权限

  android.permission.ACCESS_FINE_LOCATION

  。

• Network — (AGPS, CellID, WiFi MACID): Name of the network location provider. This provider determines location based on the availability of cell tower and WiFi access points. Requires either of the permissions

  android.permission.ACCESS_COARSE_LOCATION

  or

  android.permission.ACCESS_FINE_LOCATION

  .

  网络— (AGPS，CellID，WiFi MACID)：网络位置提供商的名称。 该提供商根据基站和WiFi接入点的可用性来确定位置。 需要

  android.permission.ACCESS_COARSE_LOCATION

  或

  android.permission.ACCESS_FINE_LOCATION

  权限。

https://developerlife.com/https://developerlife.com/的屏幕截图

Also, it’s worth noting, that apps can scan the WiFi and BLE signals and use it for better navigation, but we will discuss this further. In the meantime, let’s figure out how you can change the smartphone position using these two providers.

另外，值得注意的是，应用程序可以扫描WiFi和BLE信号并将其用于更好的导航，但是我们将进一步讨论。 同时，让我们弄清楚如何使用这两个提供程序来更改智能手机的位置。

GPS和网络提供商以及模拟位置 (GPS and Network providers and Mock Location)

“Mock Location” is a hidden developer setting in the Android operating system that allows a device owner to set any GPS location for testing purposes. Despite the fact that this is a developer setting, anyone can use it just by clicking a couple of buttons in device settings. Or you can write a few lines of code and transfer the user directly to these settings. Here’s the code for starting this intent — users should allow using your app as a mock location:

“模拟位置”是Android操作系统中隐藏的开发人员设置，允许设备所有者设置任何GPS位置以进行测试。 尽管这是开发人员设置，但任何人都可以通过单击设备设置中的几个按钮来使用它。 或者，您可以编写几行代码，然后将用户直接转移到这些设置。 这是启动此意图的代码-用户应允许将您的应用程序用作模拟位置：

...
if (!isMockLocationEnabled)
startActivity(new Intent(android.provider.Settings.ACTION_APPLICATION_DEVELOPMENT_SETTINGS));
...

private boolean isMockLocationEnabled()
{
boolean isMockLocation;
try {
if(Build.VERSION.SDK_INT >= Build.VERSION_CODES.M) {
AppOpsManager opsManager = (AppOpsManager) mContext.getSystemService(Context.APP_OPS_SERVICE);
isMockLocation = (Objects.requireNonNull(opsManager).checkOp(AppOpsManager.OPSTR_MOCK_LOCATION, android.os.Process.myUid(), BuildConfig.APPLICATION_ID)== AppOpsManager.MODE_ALLOWED);
} else {
isMockLocation = !android.provider.Settings.Secure.getString(mContext.getContentResolver(), "mock_location").equals("0");
}
} catch (Exception e) {
return false;
}
return isMockLocation;
}

After you have this permission, you can now change the GPS and Network position. By the way, you could get the latitude and longitude from

EditText

or enter the hardcoded ones, in our demo app we added two options: to enter the coordinates or pin your point on the map. Here’s the code example of a mock setting function:

拥有此权限后，您现在可以更改GPS和网络位置。 顺便说一句，您可以从

EditText

获取纬度和经度，或者输入硬编码的纬度和经度，在我们的演示应用程序中，我们添加了两个选项：输入坐标或将点固定在地图上。 这是模拟设置功能的代码示例：

private void setMock(String provider, double latitude, double longitude) {
mLocationManager.addTestProvider (provider, false, false, false, false, false, true, true, 0, 5);

Location newLocation = new Location(provider);

newLocation.setLatitude(latitude);
newLocation.setLongitude(longitude);
newLocation.setAltitude(3F);
newLocation.setTime(System.currentTimeMillis());
newLocation.setSpeed(0.01F);
newLocation.setBearing(1F);
newLocation.setAccuracy(3F);
newLocation.setElapsedRealtimeNanos(SystemClock.elapsedRealtimeNanos());
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.O)
{
newLocation.setBearingAccuracyDegrees(0.1F);
newLocation.setVerticalAccuracyMeters(0.1F);
newLocation.setSpeedAccuracyMetersPerSecond(0.01F);
}
mLocationManager.setTestProviderEnabled(provider, true);

mLocationManager.setTestProviderLocation(provider, newLocation);
}

As you can see, there are a lot of different parameters that you customize yourself and understand why you are using exactly these. In our case, after many test cases, we decided that these parameters would be the most suitable and left them. For canceling your custom location, you can remove test providers.

如您所见，您可以自定义许多不同的参数，并了解为什么要使用这些参数。 在我们的案例中，经过许多测试案例，我们认为这些参数是最合适的，并保留了下来。 要取消自定义位置，可以删除测试提供者。

mLocationManager.removeTestProvider(LocationManager.GPS_PROVIDER);
mLocationManager.removeTestProvider(LocationManager.NETWORK_PROVIDER);

BLE和WiFi，与Google作战 (BLE and WiFi, and battle with Google)

As I said above, to improve the results of your position, there could be used BLE and WiFi signals near you. And in this case, all your efforts may be in vain. At the same time, it’s important to note that you can’t replace BLE and WiFi signals in any way, so this data will definitely be accurate unless you use third-party devices that will help provide custom signals.

就像我上面说的，要改善您的排名结果，您附近可能会使用BLE和WiFi信号。 在这种情况下，您的所有努力可能都是徒劳的。 同时，请务必注意，您不能以任何方式替换BLE和WiFi信号，因此，除非您使用有助于提供自定义信号的第三方设备，否则此数据绝对准确。

Screenshot from my device 我设备上的屏幕截图

However, this is already too complicated a path and there’s no need for an ordinary user to delve into it. There is a much easier way — you can disable the ability to use these signals in the “Improve Accuracy” section in your phone’s settings.

但是，这已经太过复杂了，不需要普通用户去研究它。 有一种更简单的方法-您可以在手机设置的“提高准确性”部分中禁用使用这些信号的功能。

There is one more difficulty. It’s not enough for you to change your provider only once, because on the same Google maps your point will quickly return to its real position. This is because they often update the provider’s network and the data of your custom provider will be destroyed. So, you have to apply a trick — for example, adding data from a test provider with a certain frequency so that Google does not have time to replace it with a real one.

还有另外一个困难。 仅更改一次提供商是不够的，因为在同一张Google地图上，您的观点将Swift返回其实际位置。 这是因为它们经常更新提供商的网络，并且您的自定义提供商的数据将被破坏。 因此，您必须运用技巧-例如，以一定频率添加来自测试提供商的数据，以使Google没有时间用真实的数据替换它。

结论 (Conclusion)

We’ve developed a demo application for testing purposes, which will also continue to work in the background and change your location to the one you want. You can use it or peek at the code if you are going to create your fake GPS application. You can find more details and demo APK in our GitHub repository.

我们已经开发了一个演示应用程序用于测试目的，该应用程序还将继续在后台运行，并将您的位置更改为所需的位置。 如果您要创建伪造的GPS应用程序，则可以使用它或查看代码。 您可以在我们的GitHub存储库中找到更多详细信息并演示APK。

Summing up, I would like to say that we’re against surveillance and any actions that may affect people’s personal space.

总结一下，我想说我们反对监视以及任何可能影响人们的个人空间的行为。

翻译自: https://medium.com/better-programming/how-to-fake-your-location-programmatically-and-avoid-being-tracked-by-companies-37447ec8f740

避免日志伪造漏洞