Track geolocation for mobile devices
Tracking mobile device geolocation enhances risk assessment and helps build a continuous risk profile that takes into account current and previous locations of the user, their travel patterns, etc.
Fraud Prevention SDKs enable you to get precise device location when a specific high-risk event is triggered (e.g., login or transaction) and report this data to Mosaic. The geolocation data then appears in recommendations returned by Mosaic and is taken into account for risk analysis.
Use cases
Сollecting precise device geolocation data can significantly enhance risk analytics for:
- Account takeover detection : Helps detect account takeover or credential compromise in real time. For example, a user attempts to log in from a location that deviates significantly from their usual behavior (e.g., logging in from Europe just minutes after accessing the app from the US) — could be a sign of an account compromise.
- High-risk actions monitoring : Helps assess the legitimacy of sensitive actions, such as high-value transactions. For example, a credit card charge from a foreign country immediately after a local transaction may indicate fraud.
- Location-aware access policies : Helps restrict access to app based on geographic rules. For example, allow access to the corporate app within the company premises only or restrict access to financial app to the compliant regions.
User consent & OS permissions
Precise device geolocation is considered Personally Identifiable Information (PII). To avoid legal and compliance issues, your app must explicitly obtain the user's consent before requesting OS permissions to collect geolocation data.
When requesting OS permissions, inform users about the purpose, i.e., why and when their location will be collected before requesting permission.
Important
Make sure to implement proper consent management and permissions handling in your app.
Android
Your app should request and grant OS permissions to collect location data. The permissions have to be added to AndroidManifest.xml
inside the <manifest>
.
-
android.permission.ACCESS_COARSE_LOCATION
-
android.permission.ACCESS_FINE_LOCATION
: Optional, provides more precision
See more in Android documentation.
iOS
Your app should request and grant either of the following OS permissions to collect location data. The key has to be added to Info.plist
along with description that explains the permission usage.
-
NSLocationWhenInUseUsageDescription
key: "Allow while using app", provides access to location data only when your app is in the foreground. -
NSLocationAlwaysAndWhenInUseUsageDescription
key: "Allow always", provides access to location data even when your app is in the background (requires extra plist key and background mode).
See more in Apple developer documentation.
Geolocation data
Fraud Prevention SDKs accumulate geolocation data from Wi-Fi, GPS, cellular services, including latitude, longitude, and altitude.
Field | Type | Description |
---|---|---|
Latitude | string | The geographic latitude of the device, expressed in decimal degrees (e.g., 32.0853 ). |
Longitude | string | The geographic longitude of the device, expressed in decimal degrees (e.g., 34.7818 ). |
Accuracy | string | The radius of 68% confidence around the location, indicating the estimated horizontal accuracy in meters (e.g., 18.0 ). |
Altitude | string | The altitude of the device in meters above the WGS 84 reference ellipsoid (e.g., 23.5 ). May not be available on all devices |
Provider | string | The specific OS location provider. Android: GMS_FUSED_PROVIDER , ANDROID_LOCATION_MANAGER_GP_PROVIDER , ANDROID_LOCATION_MANAGER_NETWORK_PROVIDER iOS: IOS_CORE_LOCATION |
Permissions granted | string[] | The actual permissions granted by the user when collecting location data. Android: ACCESS_FINE_LOCATION , ACCESS_COARSE_LOCATION iOS: NSLocationWhenInUseUsageDescription , NSLocationAlwaysAndWhenInUseUsageDescription |
Record timestamp | long | The UTC timestamp (epoch milliseconds) when the location was recorded. |
The reported geolocation data can represent:
- Device last known location : the most recent location that was recorded. This location could be recorded by other apps.
- Device current location : the most up-to-date location of the device. This is done by actively querying the location services.
Configuration
By default, Fraud Prevention SDKs use the following configuration for collecting and reporting location data:
Setting | Description | Default value |
---|---|---|
defaultInterval |
The time interval during which a location is considered valid for reporting. Possible values: • ForceCurrent : Always report the current location (real-time retrieval). • ForceLastKnown : Always report the last known location. • LastKnown (with any positive numnber): Report the last known location if it was obtained within the last X minutes. Otherwise, report the current location (real-time retrieval). For example, if set to 60 , a location collected 30 minutes ago is considered valid and will be reported to Mosaic. |
ForceCurrent |
triggerActionQueryTimeout |
Maximum time (in milliseconds) to get the location when triggered by a triggerAction() SDK call. Falls back to the last known location if exceeded. |
1500 |
Mosaic fine-tunes default collection settings per each action type triggered by Fraud Prevention SDKs:
Action | Returns by default |
---|---|
login |
Current location (real-time retrieval) |
register |
Current location (real-time retrieval) |
transaction |
Current location (real-time retrieval) |
checkout |
Current location (real-time retrieval) |
password_reset |
Current location (real-time retrieval) |
logout |
Last known location |
account_details_change |
Current location (real-time retrieval) |
account_auth_change |
Current location (real-time retrieval) |
withdraw |
Last known location |
credits_change |
Current location (real-time retrieval) |
Note
To create a custom default configuration for your tenant, including custom timeouts and default intervals per specific actions, please contact Transmit Security.
Report location when triggering events
Mobile SDKs support reporting device location when an action event is triggered. The location is reported based on the TSLocationCollectionMode
object specified in the triggerAction()
SDK call. The 'default' falls back to the default configuration.
In the example below, for a checkout
event, the SDK reports a device location captured within the last 30 minutes.
val locationCollectionMode: TSLocationCollectionMode = TSLocationCollectionMode.LastKnown(validFor: 30)
/* Can be one of the following:
* Default: falls back to default configuration
* Disabled: doesn't report location
* ForceCurrent: real-time retrieval
* ForceLastKnown: reports the last captured location
* LastKnown(validFor: Int): reports last known location if captured within last X minites
*/
val locationConfig: TSLocationConfig = TSLocationConfig(mode = locationCollectionMode)
TSAccountProtection.triggerAction(
"checkout",
locationConfig,
object : ITransmitSecurityTriggerActionEventCallback {
override fun onResponse(transmitSecurityTriggerActionResponse: TransmitSecurityTriggerActionResponse) {
// TODO
}
override fun onFailed(error: TransmitSecurityAccountProtectionError) {
// TODO
}
}
)
/* Can be one of the following modes:
* default: falls back to default configuration
* disabled: doesn't report location
* forceCurrent: real-time retrieval
* forceLastKnown: reports the last captured location
* lastKnown(validFor: int) reports last known location if captured within last X minites
*/
let collectionMode: TSLocationCollectionMode = .lastKnown(validFor: 30)
TSAccountProtection.triggerAction("[ACTION_TYPE]", locationConfig: .init(mode: collectionMode)) { result in
switch result {
case .success(let response):
let token = response.actionToken
// Handle response
case .failure(_):
// Handle error
break
}
}
Logic
SDK checks if the required OS permissions to collect location data were granted to the app. If not, the SDK initialization and action triggering will still succeed, but no geolocation data will be collected or reported to Mosaic.
When triggering an action, the SDK attempts to report geolocation based on the TSLocationCollectionMode
specified in the triggerAction()
call: the current location, the last known location, or a location obtained within the last X
minutes.
If default is specified, the SDK first uses the default settings for the event type (e.g., login
, transaction
). For custom actions—or if no default is set for the event type—the SDK falls back to the general default settings.
Reporting the current location for an action event requires querying geolocation services in real time, which may delay the triggerAction()
call to Mosaic.
The SDK applies the following logic when reporting location: if querying the current location takes longer than the query timeout (1,500 ms by default), the SDK falls back to reporting the last known location to Mosaic.