Hi Everyone. I have an app that needs to track not only the location of an user but also the time for doing certain action. The problem I’m having is that if I change the time of the phone then the app shows that time instead of the real one.
I’m trying to avoid the user to cheat in this way and obtain the real time based on its location, so for this I’ve read that I can obtain the timestamp when getting the location over the Geolocation plugin besides the position.
What I see is that if I change the device time, then when pulling the location of the user the timestamp received matches the one from the device and not from the user’s location - which doesn’t seem right.
This is happening on Android at the moment, will check it on ios and update this post based on my findings if this also happens there.
Is this a bug or its the actual way this works? Is there a possibility to avoid the user to cheat by changing the time of its device? Thanks a lot!
Looks to me like the timestamp that comes with Geolocation just represents what time the device thought it was when that location was recorded - I don’t think it’s any sort of magical timestamper-in-the-sky.
No. An important rule of mobile app security is that anything you don’t trust the user with must be done outside of the app (generally on a network-connected server that you do control). If the user controls the execution environment (which they do in mobile deployment situations), your app can’t rely on anything from that environment. Time is only part of your problem - users can spoof GPS location information as well.
Thanks for your response! This seems completely logic. What I’m trying now is to use Google’s TimeZone API, pulling a timestamp for the user’s location and then parse it to check if there are differences. Still need to check it out more deeply but so far seems like a solution. Although is not ‘free’ the pricing seems really low so it’s a viable and trusted option imho
Might be a little late to the party, but i had to deal with the same problems when i had to delevop a timetracking app that was supposed to work offline.
I solved it like this:
Each time the app is opened, the user is required to have an internet connection in order to sync his data with server.
With that sync, the server time gets fetched and stored locally.
Then I use the Uptime API to get and store the device’s uptime.
Now whenever the user tries to register a booking, i do the following calculation:
([now] - [servertime]) - ([uptime now] - [stored uptime])
This gives me the difference between the device’s time and the servertime.
This solution certainly isn’t perfect, but it works pretty well (plus it works on Android and iOS).
I must be missing something here, but wouldn’t it be easier for the app start “phone home” to just include whatever it thinks of as “now” using something like new Date()?
When the app starts and the user has altered the device’s time, that’s gonna be a problem.
I’m afraid it seems like this is almost as close as you can get to have a working offline app while preventing the user to modify the device’s time.
If that’s a response to me, I’m not seeing how what you described is functionally different. If the user sets the clock back 4 hours, and then starts the app, the app phones home with a time that is 4 hours before the server time, so the server knows how much to offset intervening time claims by. If the device clock then jumps forward 2 hours, the next time the app phones home, the server knows the skew has changed and can behave accordingly.
I forgot to mention that when the user starts the app, the server is fetched and compared with the device time. If there’s a difference, the app will be shut down and the user has to change the time accordingly.
I’ve tried to use GitHub - s1lviu/cordova-plugin-uptime: Cordova plugin which provides system uptime with capacitor but without success. There is any uptime plugin that work on ios and android or some way to read the device uptime with ionic and capacitor?
Thanks.
Solved… simply use:
import { Uptime } from '@ionic-native/uptime/ngx';