Skip to content

Track geolocation for mobile devices

Tracking mobile device geolocation enhances risk assessment and helps build a continuous risk profile that takes into account current and previous locations of the user, their travel patterns, etc.

Fraud Prevention mobile SDKs support geolocation reporting in two separate ways: initialization-based reporting, when location events are enabled during SDK initialization, and action-based reporting, when the app explicitly calls triggerAction(). These paths use different configuration points: the initialization-based path is configured at SDK startup, while the action-based path is configured in the triggerAction() call. In both flows, geolocation data is reported to Mosaic and taken into account for risk analysis.

Use cases

Collecting precise device geolocation data can significantly enhance risk analytics for:

  • Account takeover detection: Helps detect account takeover or credential compromise in real time. For example, a user attempts to log in from a location that deviates significantly from their usual behavior (e.g., logging in from Europe just minutes after accessing the app from the US) — could be a sign of an account compromise.

  • High-risk actions monitoring: Helps assess the legitimacy of sensitive actions, such as high-value transactions. For example, a credit card charge from a foreign country immediately after a local transaction may indicate fraud.

  • Location-aware access policies: Helps restrict access to an app based on geographic rules. For example, allow access to the corporate app only within company premises or limit access to the financial app to compliant regions.

Precise device geolocation is considered Personally Identifiable Information (PII). To avoid legal and compliance issues, your app must explicitly obtain the user's consent before requesting OS permissions to collect geolocation data.

When requesting OS permissions, inform users about the purpose, i.e., why and when their location will be collected before requesting permission.

Important

Make sure to implement proper consent management and permissions handling in your app.

Android

Your app should request and grant OS permissions to collect location data. The permissions have to be added to AndroidManifest.xml inside the <manifest>.

  • android.permission.ACCESS_COARSE_LOCATION
  • android.permission.ACCESS_FINE_LOCATION: Optional, provides more precision

See more in Android documentation.

iOS

Your app should request and grant either of the following OS permissions to collect location data. Add the relevant key to Info.plist together with a usage description that explains why the app requests location access.

  • NSLocationWhenInUseUsageDescription key: "Allow while using app", provides access to location data only when your app is in the foreground.
  • NSLocationAlwaysAndWhenInUseUsageDescription key: "Allow always", provides access to location data even when your app is in the background (requires extra plist key and background mode).

See more in Apple developer documentation.

iOS background behavior

For the SDK flow described in this guide, location collection is still lifecycle-based. Even if your app has "Allow always" permission, the SDK doesn't collect location while the app is backgrounded.

Geolocation data

Fraud Prevention mobile SDKs collect device geolocation using the device's Wi-Fi, GPS, and cellular signals. Reported data can include latitude, longitude, accuracy, altitude, provider, permissions, error, and recordedAt.

FieldTypeDescription
latitudestringThe geographic latitude of the device, expressed in decimal degrees as a string (for example, "32.0853").
longitudestringThe geographic longitude of the device, expressed in decimal degrees as a string (for example, "34.7818").
accuracystringThe estimated horizontal accuracy in meters, represented as a string (for example, "18.0").
altitudestringThe altitude of the device in meters above the WGS 84 reference ellipsoid, represented as a string (for example, "23.5"). May not be available on all devices.
providerstringThe specific device location API used by the SDK to obtain location data.
Android: GMS_FUSED_PROVIDER, ANDROID_LOCATION_MANAGER_GP_PROVIDER, ANDROID_LOCATION_MANAGER_NETWORK_PROVIDER
iOS: IOS_CORE_LOCATION
permissionsstring[]The permissions or authorization level available to the SDK when collecting location data.
Android: ACCESS_FINE_LOCATION, ACCESS_COARSE_LOCATION
iOS: authorizedWhenInUse, authorizedAlways
errorstringThe location collection error when one occurs. Otherwise, this field is null.
recordedAtnumberThe UTC timestamp, in epoch milliseconds, when the location was recorded.
Android provider path

On Android, the SDK detects Google Play Services at runtime. On GMS devices, it uses FusedLocationProvider with balanced-power accuracy. On non-GMS devices, it falls back to android.location.LocationManager. Because of this, location accuracy and latency can differ between Android devices.

The reported geolocation data can represent:

  • Device last known location: the most recent location that was recorded. This location could be recorded by other apps.
  • Device current location: the most up-to-date location of the device. This is done by actively querying the device's location APIs through the Fraud Prevention SDK.

Geolocation reporting configuration

By default, Fraud Prevention mobile SDKs use the following settings for collecting and reporting device geolocation:

SettingDescriptionDefault value
defaultIntervalThe time interval during which a location is considered valid for reporting. Possible values:
• ForceCurrent: Always report the current location (real-time retrieval).
• ForceLastKnown: Always report the last known location.
• LastKnown (with any positive number): Report the last known location if it was obtained within the last X minutes. Otherwise, report the current location (real-time retrieval). For example, if set to 60, a location collected 30 minutes ago is considered valid and will be reported to Mosaic.
ForceCurrent
triggerActionQueryTimeoutMaximum time (in milliseconds) to get the location when triggered by a triggerAction() SDK call. Falls back to the last known location if exceeded.1500
defaultInterval

defaultInterval is a tenant-level default that controls how the SDK chooses between current and last known location. It isn't passed in the SDK initialization configuration shown later in this guide. To change it, contact Transmit Security.

For action-based reporting, use the table below as the default reference per action type. Mosaic fine-tunes default collection settings per action type triggered by Fraud Prevention mobile SDKs:

ActionReturns by default
loginCurrent location (real-time retrieval)
registerCurrent location (real-time retrieval)
transactionCurrent location (real-time retrieval)
checkoutCurrent location (real-time retrieval)
password_resetCurrent location (real-time retrieval)
logoutLast known location
account_details_changeCurrent location (real-time retrieval)
account_details_viewCurrent location (real-time retrieval)
account_auth_changeCurrent location (real-time retrieval)
withdrawLast known location
credits_changeCurrent location (real-time retrieval)
Note

To create a custom default configuration for your tenant, including custom timeouts and default intervals per specific actions, please contact Transmit Security.

Initialization-based reporting

Use this path when location events are enabled during SDK initialization. It also supports backend-triggered mobile integrations that later use the device session. The location available to the backend-triggered action can come from the initial SDK startup or from a later foreground / active collection attempt.

The sequence below summarizes initialization-based reporting for both the initial SDK startup and later foreground / active collection attempts.

Customer backendMosaiciOS/Android location APIsMobile SDKMobile appCustomer backendMosaiciOS/Android location APIsMobile SDKMobile appalt[Permissions granted][Permissions missing]On later foreground / active events,the SDK repeats the same collection flowinitialize(enableLocationEvents: true)Check location permissionsCollect locationLocation data or errorSend location eventSend location event with error and no coordinatesGet session tokenSend session tokenTrigger action API (optional get_recommendation=true)Risk evaluation using device session data
Customer backendMosaiciOS/Android location APIsMobile SDKMobile appCustomer backendMosaiciOS/Android location APIsMobile SDKMobile appalt[Permissions granted][Permissions missing]On later foreground / active events,the SDK repeats the same collection flowinitialize(enableLocationEvents: true)Check location permissionsCollect locationLocation data or errorSend location eventSend location event with error and no coordinatesGet session tokenSend session tokenTrigger action API (optional get_recommendation=true)Risk evaluation using device session data

To use this pattern:

  • Initialize the mobile SDK with enableLocationEvents set to true.
  • Obtain a device session token from the SDK.
  • Pass that session token to your backend, which then calls the Trigger action API, optionally with get_recommendation=true.

Any location collected during SDK initialization is stored in the device session and is available when the backend later triggers the action. This backend flow is the same session-token-based pattern described in the Backend API quick start.

Important

The get_recommendation API response currently exposes IP-based location data, not the device geolocation collected by the mobile SDK. Device geolocation can still be collected and used internally by the risk model for scoring, even though device GPS coordinates aren't surfaced in the recommendation payload returned to the customer. Do not interpret the absence of device geolocation in the response as a collection failure.

Enable location events during SDK initialization

Fraud Prevention mobile SDKs support reporting the device location during initialization. This flow is enabled only if the enableLocationEvents variable is set to true in the SDK initialization configuration. The collection method is determined by the defaultInterval value in the geolocation reporting configuration. The triggerAction() examples later in this guide use a separate, action-based configuration path.

For the full platform-specific SDK initialization steps, see the iOS quick start, Android quick start, and React Native quick start.


val enableLocationEvents: Boolean = true // If not set, default value is false
val configuration = TSInitSDKConfiguration(enableLocationEvents = enableLocationEvents)

TSAccountProtection.initialize(
    context = this,
    baseUrl = baseUrl,
    clientID = clientId,
    configuration = configuration
)

Post-init behavior

After initialization, location collection is lifecycle-based rather than interval-based. The SDK attempts a fresh location collection when the app returns to the foreground or becomes active, and it doesn't continue collecting location while the app is backgrounded. This path uses one-shot collection requests rather than continuous location monitoring.

At each collection attempt, the SDK checks the current location authorization state. If fresh location retrieval fails, the SDK falls back to the last known location when available; otherwise, it reports an error. If location permissions are missing, the SDK still sends the location event with an error and without coordinate data, and it doesn't fall back to a stale last known location. There is no automatic retry mechanism. Once permissions are restored, the next normal collection attempt succeeds.

If the user moves after initialization, the SDK picks up the updated location on the next foreground or active collection attempt. It doesn't use significant-location-change monitoring, geofencing, or motion-based triggers for this flow.

Android accuracy caveat

On Android, post-init behavior is the same lifecycle-based flow, but location quality can vary by device. GMS devices use FusedLocationProvider with balanced-power accuracy (PRIORITY_BALANCED_POWER_ACCURACY, typically cell towers and Wi-Fi rather than GPS). Non-GMS devices, such as Huawei devices without GMS, fall back to android.location.LocationManager.

Action-based reporting

Fraud Prevention mobile SDKs also support reporting device location when an action event is triggered from the client. This section applies when your mobile app explicitly calls triggerAction(). The location is reported based on the TSLocationCollectionMode object specified in the triggerAction() SDK call. The default mode falls back to the default geolocation reporting configuration.

Reporting the current location for an action event requires the SDK to query the device's location APIs in real time, which may delay the triggerAction() call to Mosaic.

The SDK applies the following logic when reporting location: if querying the current location takes longer than the query timeout (1500 ms by default), the SDK falls back to reporting the last known location to Mosaic.

In the example below, for a checkout event, the SDK reports a device location captured within the last 30 minutes.

val locationCollectionMode: TSLocationCollectionMode = TSLocationCollectionMode.LastKnown(validFor: 30)
/* Can be one of the following:
* Default: falls back to default configuration
* Disabled: doesn't report location
* ForceCurrent: real-time retrieval
* ForceLastKnown: reports the last captured location
* LastKnown(validFor: Int): reports last known location if captured within last X minutes
*/
val locationConfig: TSLocationConfig = TSLocationConfig(mode = locationCollectionMode)

TSAccountProtection.triggerAction(
  "checkout",
  locationConfig,
  object : ITransmitSecurityTriggerActionEventCallback {
      override fun onResponse(transmitSecurityTriggerActionResponse: TransmitSecurityTriggerActionResponse) {
          // TODO
      }
      override fun onFailed(error: TransmitSecurityAccountProtectionError) {
          // TODO
      }
    }
  )

Verify location is flowing

You can verify that device geolocation is being collected and sent without waiting for the recommendation response.

Look for SDK log lines similar to the following:

PlatformExample log line
iOSriskID: [location]: Location sent successfully (device event): TSGeoLocationData(latitude: ..., longitude: ..., accuracy: ..., altitude: ...)
AndroidriskID [location]: Location sent successfully (device event): GeolocationData(latitude=..., longitude=..., altitude=..., accuracy=..., recordedAt=..., provider=GMS_FUSED_PROVIDER, permissions=[...], error=null)

If you see these log lines, the SDK is collecting location data on the device and sending it to Mosaic.

If the logs don't appear, check the following:

  • enableLocationEvents is set to true in the SDK initialization configuration.
  • The app has the required OS location permissions.
  • Location services are enabled on the device.
  • The app has returned to the foreground or become active after initialization, or has triggered a client-side action that requests location.