Tracking mobile device geolocation enhances risk assessment and helps build a continuous risk profile that takes into account current and previous locations of the user, their travel patterns, etc.
Fraud Prevention mobile SDKs support geolocation reporting in two separate ways: initialization-based reporting, when location events are enabled during SDK initialization, and action-based reporting, when the app explicitly calls triggerAction(). These paths use different configuration points: the initialization-based path is configured at SDK startup, while the action-based path is configured in the triggerAction() call. In both flows, geolocation data is reported to Mosaic and taken into account for risk analysis.
Collecting precise device geolocation data can significantly enhance risk analytics for:
Account takeover detection: Helps detect account takeover or credential compromise in real time. For example, a user attempts to log in from a location that deviates significantly from their usual behavior (e.g., logging in from Europe just minutes after accessing the app from the US) — could be a sign of an account compromise.
High-risk actions monitoring: Helps assess the legitimacy of sensitive actions, such as high-value transactions. For example, a credit card charge from a foreign country immediately after a local transaction may indicate fraud.
Location-aware access policies: Helps restrict access to an app based on geographic rules. For example, allow access to the corporate app only within company premises or limit access to the financial app to compliant regions.
Precise device geolocation is considered Personally Identifiable Information (PII). To avoid legal and compliance issues, your app must explicitly obtain the user's consent before requesting OS permissions to collect geolocation data.
When requesting OS permissions, inform users about the purpose, i.e., why and when their location will be collected before requesting permission.
Make sure to implement proper consent management and permissions handling in your app.
Your app should request and grant OS permissions to collect location data. The permissions have to be added to AndroidManifest.xml inside the <manifest>.
android.permission.ACCESS_COARSE_LOCATIONandroid.permission.ACCESS_FINE_LOCATION: Optional, provides more precision
See more in Android documentation.
Your app should request and grant either of the following OS permissions to collect location data. Add the relevant key to Info.plist together with a usage description that explains why the app requests location access.
NSLocationWhenInUseUsageDescriptionkey: "Allow while using app", provides access to location data only when your app is in the foreground.NSLocationAlwaysAndWhenInUseUsageDescriptionkey: "Allow always", provides access to location data even when your app is in the background (requires extra plist key and background mode).
See more in Apple developer documentation.
For the SDK flow described in this guide, location collection is still lifecycle-based. Even if your app has "Allow always" permission, the SDK doesn't collect location while the app is backgrounded.
Fraud Prevention mobile SDKs collect device geolocation using the device's Wi-Fi, GPS, and cellular signals. Reported data can include latitude, longitude, accuracy, altitude, provider, permissions, error, and recordedAt.
| Field | Type | Description |
|---|---|---|
latitude | string | The geographic latitude of the device, expressed in decimal degrees as a string (for example, "32.0853"). |
longitude | string | The geographic longitude of the device, expressed in decimal degrees as a string (for example, "34.7818"). |
accuracy | string | The estimated horizontal accuracy in meters, represented as a string (for example, "18.0"). |
altitude | string | The altitude of the device in meters above the WGS 84 reference ellipsoid, represented as a string (for example, "23.5"). May not be available on all devices. |
provider | string | The specific device location API used by the SDK to obtain location data. Android: GMS_FUSED_PROVIDER, ANDROID_LOCATION_MANAGER_GP_PROVIDER, ANDROID_LOCATION_MANAGER_NETWORK_PROVIDER iOS: IOS_CORE_LOCATION |
permissions | string[] | The permissions or authorization level available to the SDK when collecting location data. Android: ACCESS_FINE_LOCATION, ACCESS_COARSE_LOCATION iOS: authorizedWhenInUse, authorizedAlways |
error | string | The location collection error when one occurs. Otherwise, this field is null. |
recordedAt | number | The UTC timestamp, in epoch milliseconds, when the location was recorded. |
On Android, the SDK detects Google Play Services at runtime. On GMS devices, it uses FusedLocationProvider with balanced-power accuracy. On non-GMS devices, it falls back to android.location.LocationManager. Because of this, location accuracy and latency can differ between Android devices.
The reported geolocation data can represent:
- Device last known location: the most recent location that was recorded. This location could be recorded by other apps.
- Device current location: the most up-to-date location of the device. This is done by actively querying the device's location APIs through the Fraud Prevention SDK.
By default, Fraud Prevention mobile SDKs use the following settings for collecting and reporting device geolocation:
| Setting | Description | Default value |
|---|---|---|
defaultInterval | The time interval during which a location is considered valid for reporting. Possible values: • ForceCurrent: Always report the current location (real-time retrieval). • ForceLastKnown: Always report the last known location. • LastKnown (with any positive number): Report the last known location if it was obtained within the last X minutes. Otherwise, report the current location (real-time retrieval). For example, if set to 60, a location collected 30 minutes ago is considered valid and will be reported to Mosaic. | ForceCurrent |
triggerActionQueryTimeout | Maximum time (in milliseconds) to get the location when triggered by a triggerAction() SDK call. Falls back to the last known location if exceeded. | 1500 |
defaultInterval is a tenant-level default that controls how the SDK chooses between current and last known location. It isn't passed in the SDK initialization configuration shown later in this guide. To change it, contact Transmit Security.
For action-based reporting, use the table below as the default reference per action type. Mosaic fine-tunes default collection settings per action type triggered by Fraud Prevention mobile SDKs:
| Action | Returns by default |
|---|---|
login | Current location (real-time retrieval) |
register | Current location (real-time retrieval) |
transaction | Current location (real-time retrieval) |
checkout | Current location (real-time retrieval) |
password_reset | Current location (real-time retrieval) |
logout | Last known location |
account_details_change | Current location (real-time retrieval) |
account_details_view | Current location (real-time retrieval) |
account_auth_change | Current location (real-time retrieval) |
withdraw | Last known location |
credits_change | Current location (real-time retrieval) |
To create a custom default configuration for your tenant, including custom timeouts and default intervals per specific actions, please contact Transmit Security.
Use this path when location events are enabled during SDK initialization. It also supports backend-triggered mobile integrations that later use the device session. The location available to the backend-triggered action can come from the initial SDK startup or from a later foreground / active collection attempt.
The sequence below summarizes initialization-based reporting for both the initial SDK startup and later foreground / active collection attempts.
To use this pattern:
- Initialize the mobile SDK with
enableLocationEventsset totrue. - Obtain a device session token from the SDK.
- Pass that session token to your backend, which then calls the Trigger action API, optionally with
get_recommendation=true.
Any location collected during SDK initialization is stored in the device session and is available when the backend later triggers the action. This backend flow is the same session-token-based pattern described in the Backend API quick start.
The get_recommendation API response currently exposes IP-based location data, not the device geolocation collected by the mobile SDK. Device geolocation can still be collected and used internally by the risk model for scoring, even though device GPS coordinates aren't surfaced in the recommendation payload returned to the customer. Do not interpret the absence of device geolocation in the response as a collection failure.
Fraud Prevention mobile SDKs support reporting the device location during initialization. This flow is enabled only if the enableLocationEvents variable is set to true in the SDK initialization configuration. The collection method is determined by the defaultInterval value in the geolocation reporting configuration. The triggerAction() examples later in this guide use a separate, action-based configuration path.
For the full platform-specific SDK initialization steps, see the iOS quick start, Android quick start, and React Native quick start.
val enableLocationEvents: Boolean = true // If not set, default value is false
val configuration = TSInitSDKConfiguration(enableLocationEvents = enableLocationEvents)
TSAccountProtection.initialize(
context = this,
baseUrl = baseUrl,
clientID = clientId,
configuration = configuration
)After initialization, location collection is lifecycle-based rather than interval-based. The SDK attempts a fresh location collection when the app returns to the foreground or becomes active, and it doesn't continue collecting location while the app is backgrounded. This path uses one-shot collection requests rather than continuous location monitoring.
At each collection attempt, the SDK checks the current location authorization state. If fresh location retrieval fails, the SDK falls back to the last known location when available; otherwise, it reports an error. If location permissions are missing, the SDK still sends the location event with an error and without coordinate data, and it doesn't fall back to a stale last known location. There is no automatic retry mechanism. Once permissions are restored, the next normal collection attempt succeeds.
If the user moves after initialization, the SDK picks up the updated location on the next foreground or active collection attempt. It doesn't use significant-location-change monitoring, geofencing, or motion-based triggers for this flow.
On Android, post-init behavior is the same lifecycle-based flow, but location quality can vary by device. GMS devices use FusedLocationProvider with balanced-power accuracy (PRIORITY_BALANCED_POWER_ACCURACY, typically cell towers and Wi-Fi rather than GPS). Non-GMS devices, such as Huawei devices without GMS, fall back to android.location.LocationManager.
Fraud Prevention mobile SDKs also support reporting device location when an action event is triggered from the client. This section applies when your mobile app explicitly calls triggerAction(). The location is reported based on the TSLocationCollectionMode object specified in the triggerAction() SDK call. The default mode falls back to the default geolocation reporting configuration.
Reporting the current location for an action event requires the SDK to query the device's location APIs in real time, which may delay the triggerAction() call to Mosaic.
The SDK applies the following logic when reporting location: if querying the current location takes longer than the query timeout (1500 ms by default), the SDK falls back to reporting the last known location to Mosaic.
In the example below, for a checkout event, the SDK reports a device location captured within the last 30 minutes.
val locationCollectionMode: TSLocationCollectionMode = TSLocationCollectionMode.LastKnown(validFor: 30)
/* Can be one of the following:
* Default: falls back to default configuration
* Disabled: doesn't report location
* ForceCurrent: real-time retrieval
* ForceLastKnown: reports the last captured location
* LastKnown(validFor: Int): reports last known location if captured within last X minutes
*/
val locationConfig: TSLocationConfig = TSLocationConfig(mode = locationCollectionMode)
TSAccountProtection.triggerAction(
"checkout",
locationConfig,
object : ITransmitSecurityTriggerActionEventCallback {
override fun onResponse(transmitSecurityTriggerActionResponse: TransmitSecurityTriggerActionResponse) {
// TODO
}
override fun onFailed(error: TransmitSecurityAccountProtectionError) {
// TODO
}
}
)You can verify that device geolocation is being collected and sent without waiting for the recommendation response.
Look for SDK log lines similar to the following:
| Platform | Example log line |
|---|---|
| iOS | riskID: [location]: Location sent successfully (device event): TSGeoLocationData(latitude: ..., longitude: ..., accuracy: ..., altitude: ...) |
| Android | riskID [location]: Location sent successfully (device event): GeolocationData(latitude=..., longitude=..., altitude=..., accuracy=..., recordedAt=..., provider=GMS_FUSED_PROVIDER, permissions=[...], error=null) |
If you see these log lines, the SDK is collecting location data on the device and sending it to Mosaic.
If the logs don't appear, check the following:
enableLocationEventsis set totruein the SDK initialization configuration.- The app has the required OS location permissions.
- Location services are enabled on the device.
- The app has returned to the foreground or become active after initialization, or has triggered a client-side action that requests location.