Track geolocation for mobile devices

Tracking mobile device geolocation enhances risk assessment and helps build a continuous risk profile that takes into account current and previous locations of the user, their travel patterns, etc.

Fraud Prevention SDKs enable you to get precise device location when a specific high-risk event is triggered (e.g., login or transaction) and report this data to Mosaic. The geolocation data then appears in recommendations returned by Mosaic and is taken into account for risk analysis.

Use cases

Сollecting precise device geolocation data can significantly enhance risk analytics for:

  • Account takeover detection : Helps detect account takeover or credential compromise in real time. For example, a user attempts to log in from a location that deviates significantly from their usual behavior (e.g., logging in from Europe just minutes after accessing the app from the US) — could be a sign of an account compromise.
  • High-risk actions monitoring : Helps assess the legitimacy of sensitive actions, such as high-value transactions. For example, a credit card charge from a foreign country immediately after a local transaction may indicate fraud.
  • Location-aware access policies : Helps restrict access to app based on geographic rules. For example, allow access to the corporate app within the company premises only or restrict access to financial app to the compliant regions.

User consent & OS permissions

Precise device geolocation is considered Personally Identifiable Information (PII). To avoid legal and compliance issues, your app must explicitly obtain the user's consent before requesting OS permissions to collect geolocation data.

When requesting OS permissions, inform users about the purpose, i.e., why and when their location will be collected before requesting permission.

Important

Make sure to implement proper consent management and permissions handling in your app.

Android

Your app should request and grant OS permissions to collect location data. The permissions have to be added to AndroidManifest.xml inside the <manifest>.

  • android.permission.ACCESS_COARSE_LOCATION
  • android.permission.ACCESS_FINE_LOCATION : Optional, provides more precision

See more in Android documentation.

iOS

Your app should request and grant either of the following OS permissions to collect location data. The key has to be added to Info.plist along with description that explains the permission usage.

  • NSLocationWhenInUseUsageDescription key: "Allow while using app", provides access to location data only when your app is in the foreground.
  • NSLocationAlwaysAndWhenInUseUsageDescription key: "Allow always", provides access to location data even when your app is in the background (requires extra plist key and background mode).

See more in Apple developer documentation.

Geolocation data

Fraud Prevention SDKs accumulate geolocation data from Wi-Fi, GPS, cellular services, including latitude, longitude, and altitude.

Field Type Description
Latitude string The geographic latitude of the device, expressed in decimal degrees (e.g., 32.0853).
Longitude string The geographic longitude of the device, expressed in decimal degrees (e.g., 34.7818).
Accuracy string The radius of 68% confidence around the location, indicating the estimated horizontal accuracy in meters (e.g., 18.0).
Altitude string The altitude of the device in meters above the WGS 84 reference ellipsoid (e.g., 23.5). May not be available on all devices
Provider string The specific OS location provider.
Android: GMS_FUSED_PROVIDER, ANDROID_LOCATION_MANAGER_GP_PROVIDER, ANDROID_LOCATION_MANAGER_NETWORK_PROVIDER
iOS: IOS_CORE_LOCATION
Permissions granted string[] The actual permissions granted by the user when collecting location data.
Android: ACCESS_FINE_LOCATION, ACCESS_COARSE_LOCATION
iOS: NSLocationWhenInUseUsageDescription, NSLocationAlwaysAndWhenInUseUsageDescription
Record timestamp long The UTC timestamp (epoch milliseconds) when the location was recorded.

The reported geolocation data can represent:

  • Device last known location : the most recent location that was recorded. This location could be recorded by other apps.
  • Device current location : the most up-to-date location of the device. This is done by actively querying the location services.

Configuration

By default, Fraud Prevention SDKs use the following configuration for collecting and reporting location data:

Setting Description Default value
defaultInterval The time interval during which a location is considered valid for reporting. Possible values:
ForceCurrent: Always report the current location (real-time retrieval).
ForceLastKnown: Always report the last known location.
LastKnown (with any positive numnber): Report the last known location if it was obtained within the last X minutes. Otherwise, report the current location (real-time retrieval). For example, if set to 60, a location collected 30 minutes ago is considered valid and will be reported to Mosaic.		 ForceCurrent
triggerActionQueryTimeout Maximum time (in milliseconds) to get the location when triggered by a triggerAction() SDK call. Falls back to the last known location if exceeded. 1500

Mosaic fine-tunes default collection settings per each action type triggered by Fraud Prevention SDKs:

Action Returns by default
login Current location (real-time retrieval)
register Current location (real-time retrieval)
transaction Current location (real-time retrieval)
checkout Current location (real-time retrieval)
password_reset Current location (real-time retrieval)
logout Last known location
account_details_change Current location (real-time retrieval)
account_auth_change Current location (real-time retrieval)
withdraw Last known location
credits_change Current location (real-time retrieval)
Note

To create a custom default configuration for your tenant, including custom timeouts and default intervals per specific actions, please contact Transmit Security.

Report location when triggering events

Mobile SDKs support reporting device location when an action event is triggered. The location is reported based on the TSLocationCollectionMode object specified in the triggerAction() SDK call. The 'default' falls back to the default configuration.

In the example below, for a checkout event, the SDK reports a device location captured within the last 30 minutes.

KotlinSwift
Copy
Copied
val locationCollectionMode: TSLocationCollectionMode = TSLocationCollectionMode.LastKnown(validFor: 30)
/* Can be one of the following:
* Default: falls back to default configuration
* Disabled: doesn't report location
* ForceCurrent: real-time retrieval
* ForceLastKnown: reports the last captured location
* LastKnown(validFor: Int): reports last known location if captured within last X minites
*/
val locationConfig: TSLocationConfig = TSLocationConfig(mode = locationCollectionMode)

TSAccountProtection.triggerAction(
  "checkout",
  locationConfig,
  object : ITransmitSecurityTriggerActionEventCallback {
      override fun onResponse(transmitSecurityTriggerActionResponse: TransmitSecurityTriggerActionResponse) {
          // TODO
      }
      override fun onFailed(error: TransmitSecurityAccountProtectionError) {
          // TODO
      }
    }
  )
Copy
Copied
/* Can be one of the following modes:
* default: falls back to default configuration
* disabled: doesn't report location
* forceCurrent: real-time retrieval
* forceLastKnown: reports the last captured location
* lastKnown(validFor: int) reports last known location if captured within last X minites
*/
let collectionMode: TSLocationCollectionMode = .lastKnown(validFor: 30)

TSAccountProtection.triggerAction("[ACTION_TYPE]", locationConfig: .init(mode: collectionMode)) { result in
    switch result {
    case .success(let response):
        let token = response.actionToken
        // Handle response
    case .failure(_):
        // Handle error
        break
    }
}

Logic

SDK checks if the required OS permissions to collect location data were granted to the app. If not, the SDK initialization and action triggering will still succeed, but no geolocation data will be collected or reported to Mosaic.

When triggering an action, the SDK attempts to report geolocation based on the TSLocationCollectionMode specified in the triggerAction() call: the current location, the last known location, or a location obtained within the last X minutes.

If default is specified, the SDK first uses the default settings for the event type (e.g., login, transaction). For custom actions—or if no default is set for the event type—the SDK falls back to the general default settings.

No
Yes
Disabled
Default
ForceCurrent
ForceLastKnown
LastKnown
triggerAction()
Permissions granted?
Don't report location
TSLocationCollectionMode?
Proceed according to default config (ForceCurrent or ForceLastKnown)
Real-time retrieval
Report last known
Report last known if collected within last X minutes.

Reporting the current location for an action event requires querying geolocation services in real time, which may delay the triggerAction() call to Mosaic.

The SDK applies the following logic when reporting location: if querying the current location takes longer than the query timeout (1,500 ms by default), the SDK falls back to reporting the last known location to Mosaic.

ForceCurrent
ForceLastKnown
LastKnown
Yes
No
Timeout exceeded
Success, within timeout interval
Report location
What location?
Retrieve location in real-time
Report last known location
Any location captured in the X last minutes?
Report location captured less than X minutes ago
Report current location