[HN Gopher] FakeTraveler: Fake where your phone is located (Mock...
___________________________________________________________________
FakeTraveler: Fake where your phone is located (Mock location for
Android)
Author : thunderbong
Score : 138 points
Date : 2024-07-31 04:30 UTC (18 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| SideburnsOfDoom wrote:
| Does this fool the android app store regarding current country,
| or is that based off who is currently providing Mobile phone
| signal?
| sofixa wrote:
| As someone who has had to trick Google Play store country, it's
| a bit more complicated than that.
|
| You can only change the Google Play country setting once a
| year. You can only change it if Google determine you to be
| located physically in that country. Based on my testing, the
| only combination I could use to trick them was:
|
| * no SIM in the phone
|
| * Wi-Fi connected to another phone's hotspot which is VPNing to
| the desired country
|
| * GPS off
|
| * payment method in the desired country
|
| That way Google have no way of knowing you're not actually in
| the desired country. Just certain parts (even including a SIM
| card in roaming originally from desired country didn't work)
| weren't enough.
| extraduder_ire wrote:
| Why did you need to trick google play into using a different
| country?
| LoganDark wrote:
| Some apps are only available in certain countries, and some
| countries have more favorable prices when exchanging from
| USD (or etc.).
| sofixa wrote:
| Apart from what the sibling comment mentions (certain apps
| not being available in the country you're in as far as
| Google Play is concerned), there's also family sharing app
| plans that are sometimes geofenced (everyone on the same
| family plan needs to live in the same country which is not
| how my family works so it doesn't work for me).
| vachina wrote:
| You can install region specific APK and use Aurora store
| to manage the updates.
| yunohn wrote:
| Sometimes when traveling, local apps are restricted to
| their country's App/Play store. Really annoying!
| Mo3 wrote:
| Google's knowledge of your location is much more detailed than
| only your phones GPS location.
|
| - Billing addresses for Google Play
|
| - Wifi and cellular networks seen by your Android devices
|
| - IP addresses and other identifiers of all devices you used to
| access Google services (mobile and web)
|
| - GPS metadata in pictures uploaded to Google Images and Drive
|
| - Documents with addresses such as bills in your Google Drive
| and Gmail
|
| And probably much more that I can't think of right now.
|
| The Google Play store country however can be changed once per
| year, but you need a valid billing method originating from this
| country.
| nanomonkey wrote:
| From a conversation with a Google employee, they also know
| what floor of a building you're in from the accelerometer and
| barometric pressure sensor. Probably even which direction
| you're facing from the compass.
| pards wrote:
| I tried this using Fake Traveller and it didn't work.
|
| - Installed Fake Traveller
|
| - Set Fake Location App
|
| - Set location to Sydney, Australia
|
| - Open Play Store
|
| - Search for ANZ Shield (Australian banking app)
|
| Result: App not available in my region :(
| BLKNSLVR wrote:
| Combine it with a VPN with an exit in Australia and you might
| have better luck. IP addresses are pretty standard for geo-
| fencing as well.
| dewey wrote:
| Aren't almost all app stores linked to the billing country
| (Country of credit card) for tax reasons alone?
| Ambroos wrote:
| The easiest way is to just have multiple accounts, ideally with
| payment methods/phone numbers for the relevant country. My
| primary account is locked to Belgium because of family sharing,
| but I have a separate US one with a US CC I made when I lived
| there. And a separate Swedish one with a Swedish CC because I
| live in Sweden now. I can just switch between the accounts in
| the Play Store and have apps from all three installed and auto-
| updating at all times.
| rootsudo wrote:
| This doesn't work anymore because since android 9 or so, there is
| an api feature that allows any app to query if mock location is
| enabled. You need to be rooted to disable that "feature."
|
| I use it to gamify (not games or such -) a lot of things, but
| it's also used for "fraud" or such, one thing when I was
| researching was that Pokemon go users do this. I just do it for
| geoarbritage pricing - without a play account on google phones.
| IMO I don't think google play follows geographic pricing like
| apple does with their store (address/credit card in other
| geographic region)
|
| Coincidentally it's harder to do the above on an iPhone.
| BLKNSLVR wrote:
| I've done it for Pokemon Go. There are (were, it's been a
| while) pretty specific setup steps required, and it changed
| over the course of a couple of years as Android changed things
| up.
|
| One of the older methods worked, but semi-required the back of
| the phone to have aluminium foil on it so that the real GPS
| signal wouldn't get through and "rubberband" you back to your
| actual location, earning a soft-ban. I had more than one phone
| with a couple of layers of alfoil between the phone and the
| case.
|
| There was another method that required a specific version of
| Google Play Services, so that root wasn't necessary. I think.
|
| Also had to rename the FakeGPS app, and use Magisk Hide
|
| Good times. I enjoyed "seeing if I could" more than the actual
| fruits of the labour.
| ramonverse wrote:
| Afaik nearby wifi networks are also used to determine location.
| As long as you have wifi activated Google can use this to
| determine where you are. I don't know if they use this as a hard
| check.
|
| The only way I can think of to prevent this is to build a faraday
| cage with a wired vpn router and your phone inside.
| autoexec wrote:
| nearby wifi networks, nearby cell phones, and also bluetooth
| devices. Even in airplane mode your phone is looking for
| beacons and keeping track of your location. Even when you turn
| your phone off entirely it doesn't give up
| (https://www.androidpolice.com/android-15-powered-off-
| finding...)
| sadboi31 wrote:
| They want accelerometer, temperature and other sensor data
| too where possible. Not just information on the strength of
| the wifi/cellular signal (and your estimated location). SIM
| cards can do the most on qualcomm devices.
|
| Poking into both of these systems outside of a lab is
| definitely a violation of the law ordinarily and it's pretty
| hard to test this in a lab.
| fsflover wrote:
| This is why I use a smartphone with hardware kill switches for
| WiFi and modem.
| ksp-atlas wrote:
| Librem 5?
| fsflover wrote:
| Yes.
| reginald78 wrote:
| Don't forget bluetooth.
| immibis wrote:
| Usually it's the same chip that does wifi.
| fsflover wrote:
| Exactly.
| pogue wrote:
| I just saw this yesterday about losing Authy for 2FA on non-
| official Android devices w/o play services. I'm curious how
| phones like this are handling that.
|
| https://arstechnica.com/gadgets/2024/07/loss-of-
| popular-2fa-...
| fsflover wrote:
| You can run Android apps with Waydroid, but you can't
| overcome the DRM. You have to complain that you run an
| alternative OS, which has a right to exist.
| pogue wrote:
| So you can still access 2FA through non-official Android
| builds.... or no?
| fsflover wrote:
| Yes, unless these apps require the "safety"-net.
| kmeisthax wrote:
| Google isn't banning hardware killswitches in their
| compatibility definition, so a phone with such switches can
| still ship Play Services.
|
| The main stumbling block here is that Google wants to tie
| users' hands in certain aspects, and many of these OSes are
| specifically designed to undo that control. GrapheneOS does
| a bunch of stuff to improve security that absolutely could
| be incorporated into a Play Integrity authorized build. But
| it also does a bunch of stuff in the name of user privacy
| that Google would never sign off on.
|
| For example, there are apps[1] that refuse to work without
| a GPS lock, for a variety of reasons ranging from "I save
| money on streaming rights by only letting you watch in a
| specific country" to "I need to know if you're a criminal
| trying to stuff our banking app with stolen credentials in
| a foreign country we can't prosecute you in". Some of these
| reasons are pro-user, some are user-hostile[0], but all of
| them require handcuffing the user, so Android cooperates
| with app developers instead of you.
|
| All the _permitted_ ways for a user to manipulate their
| location are transparent to the application. That is, if
| you mock your location, the application is told it 's fake
| and can refuse it. Likewise, if you turn off location, the
| application is told it didn't get a fix. Hardware
| killswitches are just a more powerful / legible way to turn
| off location. If the phone instead had a hardware GPS
| signal spoofer in it, Google would absolutely ban it from
| Play Integrity.
|
| [0] And, for the user-hostile reasons, _those are the terms
| of sale_ , so Google cooperating with the user would just
| get the app taken away because the entertainment
| conglomerates are big enough to oppose Google's market
| power.
|
| [1] Client and server inclusive, i.e. "an app is just a
| website with enough IP to make it a felony to block ads in
| it". Play Integrity exists specifically to frustrate
| attempts to modify the client. If you modify the client or
| the OS it lives in, Play Integrity's signed data will have
| the wrong hashes in them, and the server will refuse
| service to you.
| kop316 wrote:
| This looks to use the dev options to fake it, which I believe
| bypasses the geolocation apps (as I assume the mock location is
| used for testing apps if they are in certain locations).
|
| That being said, I have tried this for banking apps, and they
| aren't fooled by it, so I am guessing Android passes on that
| this is a "mock" location, not a real one.
|
| Like you said, if you really want to fake it, probably a
| faraday cage/fake GPS would be necessary.
| amonon wrote:
| Yes, this is the case. I cannot remember the details, but the
| OS makes applications aware that location mocking is turned
| on.
| Ambroos wrote:
| You can just call .isMock() on the location object you
| receive: https://developer.android.com/reference/android/lo
| cation/Loc... - without root that can't be bypassed.
| Teever wrote:
| That's a pretty anti-user feature if you ask me.
|
| Especially for a device so personal as a smartphone.
|
| There needs to be legislation that prevents manufactures
| from overridinf the will of the user at the behest of app
| makers for devices like this.
| newaccount74 wrote:
| Having a smartphone provide a hard to fake location is a
| pretty valuable feature. A lot of businesses depend on
| the fact that location data is hard to fake.
|
| Consider caller ID - legislators around the world are
| working on making it harder to spoof your identity,
| because there's so much fraud going on with fake caller
| IDs.
|
| It's the same with location. Being able to easily fake
| location would open the door to so many frauds...
| dmichulke wrote:
| So how do you stop Google or Samsung from using your
| location data without your consent?
|
| - Not using GPS? Not an option because you need it
|
| - Disabling permissions? Not possible for "system apps"
|
| - Having the 10% privacy aware people block location
| somehow (via rooted phone or different distribution)?
| That doesn't help the other 90%.
|
| IMO the only solution is to poison the data with fake
| locations.
|
| Are there other options I missed?
| Teever wrote:
| > A lot of businesses depend...
|
| Do I care? Like not to be glib but as an end user buying
| a phone for my personal uses, I dont care about their
| businesses and I loathe the idea that their business
| model requires such an anti feature to be widely deployed
| in personal devices such as smart phones.
|
| Tell you what. I have a business model that requires your
| personal location data. Be a dear and send it to me.
|
| And again, why do I care about caller ID. It's been trash
| for years. I just never answer calls and use diffetent
| platforms such as Signal to communicate with my friends.
|
| It may open the door to so many frauds, but it opens the
| door to so many more abuses.
|
| People will talk about these 'features' differently the
| first time a large genocidal action takes place that
| makes use of this data.
| mindslight wrote:
| I fully agree with where you're coming from, but you kind
| of veered off with that last sentence. In general I think
| the threats from fine-grained surveillance databases are
| a lot more nuanced and pernicious than genocide.
| newaccount74 wrote:
| Ride hailing apps rely on the fact that both customers
| and drivers phones don't lie about their location.
|
| Mapping companies rely on the fact that their
| crowdsourced data is reliable.
|
| Emergency services rely on the fact that phones share
| accurate locations.
|
| Delivery companies require authentic location data from
| their agents.
|
| Apps that allow people to rent scooters or bicycles rely
| on non-fake location data.
|
| If you made it easy to provide fake location data, a lot
| of apps would suddenly have to deal with a whole new
| class of fraud. I just don't see how this would be a net
| beneficial change.
| nayuki wrote:
| > Apps that allow people to rent scooters or bicycles
| rely on non-fake location data.
|
| There's a way to fix this. Each bicycle can store a
| private key, and your phone needs to talk to the bike
| nearby to do a live challenge-response before you can
| rent it out.
| singleshot_ wrote:
| Quick question: how come every scumbag who calls my phone
| with a scam has a fake caller ID, but I shouldn't? Again,
| this seems pretty user-hostile.
| newaccount74 wrote:
| These scumbags shouldn't be able to have a fake ID, which
| is exactly what legislators in the US and the EU are
| currently trying to end.
| singleshot_ wrote:
| Well, if legislators are trying to fix it, I suppose I
| feel better about the user hostility. Good luck to the
| legislators, and thank god we have people like them!
| newaccount74 wrote:
| Well, legislators managed to abolish roaming fees within
| the EU, so maybe they'll manage to fix caller ID too.
| aftbit wrote:
| For the same reason that every movie ends up ripped on
| piracy sites, but you still can't watch Netflix in 4k on
| Firefox on Linux.
|
| DRM doesn't work because it only takes one person to
| bypass it to make a copy, and caller ID verification
| doesn't work because it only takes one janky provider
| that doesn't implement SHAKEN/STIR correctly and yet is
| worth too much money to totally block.
|
| FWIW I can still generate calls with arbitrary caller ID
| from a handful of my (legacy) ITSP providers, but if I
| get a new account today with any of them, they will
| require me to either verify each caller ID by receiving
| an inbound call or provide a "valid business
| justification" for why I can't do that. They are working
| on tightening up the pathways to generating fake caller
| IDs but in the telephony world, nothing moves fast and
| uptime is more important than anything, except maybe
| revenue, of which spam calls account for a ton.
| nayuki wrote:
| You're basically arguing for
| https://en.wikipedia.org/wiki/Trusted_Computing . You're
| saying that the manufacturer should have more power than
| the consumer, that the consumer cannot run arbitrary
| code, that the consumer cannot examine and disassemble
| the manufacturer's code.
|
| Even if the device is unmodified, you can still spoof GPS
| signals by generating them in a box: https://www.reddit.c
| om/r/electronics/comments/4unzp2/cheatin... ,
| https://www.youtube.com/watch?v=9mC71c6zRUE . That's why
| I think "trusted computing" is pointless.
| Zak wrote:
| We basically already have that on smartphones. Both
| Android and iOS have remote attestation, and a
| significant number of apps use it to refuse to run on
| devices with anything but an unmodified first-party OS.
|
| I was surprised there wasn't a bigger outcry over it in
| the tech world.
| aftbit wrote:
| As someone who habitually roots my Android phones, I'm
| always somewhat annoyed when I can't use features like
| tap-to-pay, but I'm really annoyed when apps refuse to
| start, especially when they are for things like
| McDonalds. I shouldn't need to have a known-trusted
| operating system to buy a burger.
| Zak wrote:
| Be sure to give them 1-star reviews.
|
| I've found that the Play Integrity Fix module for Magisk
| usually solves it, though there are a couple exceptions.
| They still earn a negative review for the attempt.
| Zak wrote:
| That the client isn't trustworthy is a pretty fundamental
| rule of network security. Attempts to circumvent that
| rule are making it so users can't trust their own
| devices, and that's a dark path to go down.
| nottorp wrote:
| > A lot of businesses depend on the fact that location
| data is hard to fake.
|
| You spelled "spammers and personal data spies" wrong and
| it somehow ended up as "businesses"...
| newaccount74 wrote:
| There are a lot of legitimate use cases that require
| reliable location data. I mentioned a few that I could
| think of in a sibling comment, but I'm sure there are
| more. Maybe you can come up with a use case for accurate
| location data yourself?
|
| Anyway, spammers and data brokers probably wouldn't care
| at all if say 10% of people spoofed their location. They
| don't really have a lot to lose if some of their data is
| incorrect.
| bongodongobob wrote:
| I think it might be a legal requirement for emergency
| services. I used to work a lot with VoIP and each line
| was required to have an address associated with it.
| Teever wrote:
| I'm fine with that, provided that there's sufficient
| oversight to prevent abuse.
|
| What I'm not fine with is one large corporation who makes
| phones baking this feature in so that other companies
| that make apps can profit off it. That's two parties
| conspiring to fuck over their customers.
|
| That needs to be regulated.
| ClassyJacket wrote:
| Also: screenshots. Firefox won't _allow_ me to screenshot
| a private window. It 's my damn phone and I should be
| able to screenshot or record whatever the hell I want.
| didsomeonesay wrote:
| Go to settings -> private browsing and enable "allow
| screenshots in private browsing".
| mindslight wrote:
| > _The only way I can think of to prevent this is to build a
| faraday cage with a wired vpn router and your phone inside._
|
| Another option is to not be running an operating system that
| betrays your interests. Google can only determine your location
| using nearby wifi networks if that list of nearby wifi networks
| has been given to Google through Android/Play backdoors. In
| fact _most_ privacy issues with phones boil down to running a
| malevolent OS - protecting against malicious application code
| is still a difficult problem, but it is at least tractable if
| you can trust the system code.
|
| (Personally I think the functionality of the OP should be
| included by default as part of the OS permission system, and
| configurable on a per-application basis)
| gorbypark wrote:
| At one point in time the Google street view vehicles were
| logging wifi position data as well. I don't know if they
| still do it, though.
| mindslight wrote:
| Sure, that's a related but different problem - cataloging
| the location of wifi APs versus inferring your personal
| location based on what APs your phone can see.
|
| Running user-representing software on your phone doesn't
| fix all problems everywhere, it just gives you a platform
| with which you can address them to the fullest extent
| possible.
| ape4 wrote:
| This app registers a location provider. Probably the phone
| wouldn't resort to using wi-fi networks if there is a location
| provider present. Probably, maybe.
| tauntz wrote:
| There are tens, if not hundreds of mock location provider apps
| available on Google Play and that feature has been supported on
| Android since Android 1.5 from 16 years ago. Just curious, why is
| this app, specifically, any different?
| SushiHippie wrote:
| It's open source and on F-Droid
|
| https://f-droid.org/packages/cl.coders.faketraveler/
| evanhughes wrote:
| I actually love F-Droid so much
| ctxc wrote:
| I know right? Doesn't feel HN worthy. I used to use these apps
| back when I played Pokemon Go and it would behave differently
| based on my location.
| lawlessone wrote:
| It's very very simple too. I made one that that just randomly
| changed the location within a specified area years ago. To
| learn the API. It didn't work very well. I wanted to grab the
| users actual location and offset it randomly. So a user could
| choose to degrade the accuracy of apps tracking their
| location.
|
| But once you've set it as at THE mock app you can't get your
| actual location to offset (maybe this has changed since.)
|
| despite my attempts to make sure it ran correctly in the
| background it would always stop working after a while. That
| was the hard part at the time , making anything run in the
| background without the phone killing the process or eating
| the battery.
| rminla wrote:
| 100%. i thought i was missing something
| thenbe wrote:
| The android development world is new to me, but I failed to
| find a good location mocker when I needed one recently. I tried
| a few of the popular ones. They were either filled to the brim
| with spam or broken in different ways (un-scrollable UI,
| generating then immediately swallowing their own permission
| prompts, and/or broken travel simulation).
|
| I would pay for an app that works properly, if only I could
| find one. Next time, I'll probably give this one a try.
| qwertox wrote:
| "Lockito - GPS itinerary faker" [0] is my go-to app when I need
| to test location features on Android.
|
| [0]
| https://play.google.com/store/apps/details?id=fr.dvilleneuve...
| stavros wrote:
| This looks great, thank you!
| captaincrunch wrote:
| This type of tool got me banned from Pokeman Go... gotta' collect
| them all!!
| MaXtreeM wrote:
| Always though that's the stupidest way to play the Pokemon Go.
| Maybe it made a little bit of sense in the beginning when small
| villages had almost no content but even than you just missing
| most aspects which make this game interesting. I guess that's
| the time we live in.
| BLKNSLVR wrote:
| It's true that playing in-the-flesh with a crew was the best
| way to play, but spoofing enabled both levelling up faster
| (which in turn helps the "with crew" outings) and bypassing
| impossible restrictions like increasing number of geo-locked
| critters.
|
| It does say "gotta collect 'em all" pretty clearly...
|
| However, I still remember the wave of people coming towards
| me when a Gyarados spawned right near me. I had some family
| with me who weren't playing (and therefore didn't know what
| was going on) and were quite intimidated by the sight of the
| approaching, stampeding crowd.
| prophesi wrote:
| It was a lot of fun to spoof my location to Central Park and
| actually be able to take on gyms while I lived in the sticks.
| Naturally I also turned off spoofing when I'd have the chance
| to visit a metro area.
| imp0cat wrote:
| I can absolutely see the appeal of spoofing one's location
| for Pokemon Go, but damn! This is exactly why we can't have
| nice things.
| kmeisthax wrote:
| Android tells apps if the location fix they get is spoofed, and
| this tool cannot fix that. I assume Niantic checks for that and
| has been doing so for years now, so you'd need root, plus a
| Play Integrity bypass, to do this.
| acheong08 wrote:
| I'm working on something similar for IOS by running MITM &
| spoofing the response from wloc (API used to determine location
| based on Wii routers and cell towers). I was surprised that GPS
| is rarely ever used and almost always substituted by APIs that
| expose your location to Apple/Google even if VPN is on
| PmTKg5d3AoKVnj0 wrote:
| When I was a teenager and wanted to go do boyish teenager things,
| like hang out at $ABANDONED_BUILDING, I used such apps to mock my
| location to the library, as my parents were tracking it using
| Life360.
| wormlord wrote:
| Oh God I forgot people's parents used to do that.
| vlachen wrote:
| According to my over-50 year old boss in regard to their
| grown kids, they still do. But it is symmetric nowadays, and
| has something to do with their faith.
| latexr wrote:
| > But it is symmetric nowadays, and has something to do
| with their faith.
|
| That raises more questions than it answers.
|
| "Thou shall spy on thy family's whereabouts no fewer than
| thrice hourly, and thou must use ReligionFamilyTracker(tm),
| at $19.99 per week, to do so."
| vlachen wrote:
| I won't ever claim that I understand it. As my tiny human
| says: "That's creeps."
| mrguyorama wrote:
| Is your boss the current Speaker of the House of
| Representatives who uses such parent-ware on his children's
| phones and claims that his child does the same so they can
| monitor each others (avoidance of) porn habits?
| vlachen wrote:
| No, but I'm sure my boss and Mr. Speaker would get along
| swimmingly.
| giancarlostoro wrote:
| Reminds me of the old FakeOperator for iOS from back in the day,
| where instead of it saying Sprint or Verizon you could make it
| say "CIA", "FBI", or even "Hacker" the joys of smartphone
| hacking.
| neilv wrote:
| So this location-setting app could be called SmoothOperator.
|
| As in the Sade song, "Coast to coast, LA to Chicago... across
| the north, and south to Key Largo..."
|
| https://www.youtube.com/watch?v=4TYv2PhG89A&t=1m19s
| therein wrote:
| That's a good name and a backstory.
| bdcravens wrote:
| There's a bunch of commercial apps to do the same for iPhone, but
| they all feel incredibly scammy (though I've tested a few, and
| they work fine). I'd love to find an open source option, or even
| a pointer to the requisite APIs.
| helsinki wrote:
| What are they called, please? I need this for Monster Hunter
| Now.
| mrguyorama wrote:
| GPS based games watch for this stuff as table stakes. They
| don't want you getting more "free" currency or items than you
| are normally expected to get because that screws with their
| profits
| jacooper wrote:
| This doesn't work, gmaps shows my actual location.
| notepad0x90 wrote:
| I'd be more interested to learn about how certain apps can detect
| gps faking, despite these apps trying their best to evade them.
| DANmode wrote:
| Barometer data?
|
| Cellular baseband info?
|
| [?] between reported locations exceeding some multiplier of a
| Google Maps reported trip length?
| beardyw wrote:
| I built a small ESP based device which collected Wifi data (mac
| addresses) enough to use the Google API and plot its course on a
| map after the event.
|
| It struck me it wouldn't be too hard to use the same device to
| replay the WiFi data back to the phone to make it think you were
| on that journey. It would also require shielding to avoid access
| to GPS and to the real WiFi access points around. Eminently
| doable though I would think.
___________________________________________________________________
(page generated 2024-07-31 23:01 UTC)