Where Have You Been? Secure Location Provenance for Mobile Devices

With the advent of mobile computing, location-based services have recently gained popularity. Many applications use the location provenance of users, i.e., the chronological history of the users’ location for purposes ranging from access control, authentication, information sharing, and evaluation of policies. However, location provenance is subject to tampering and collusion attacks by malicious users. In this paper, we examine the secure location provenance problem. We introduce a witness-endorsed scheme for generating collusion-resistant location proofs. We also describe two efficient and privacy-preserving schemes for protecting the integrity of the chronological order of location proofs. These schemes, based on hash chains and Bloom filters respectively, allow users to prove the order of any arbitrary subsequence of their location history to auditors. Finally, we present experimental results from our proof-of-concept implementation on the Android platform and show that our schemes are practical in today’s mobile devices.

💡 Research Summary

The paper tackles the problem of securing a mobile user’s location provenance – the chronological record of where a device has been – against tampering, collusion, and privacy breaches. Existing location‑proof schemes either rely on self‑reported GPS data, which can be forged, or on single‑entity proofs that are vulnerable when the user colludes with the location authority. Moreover, they do not provide a way to verify the order of visits without a trusted global clock.

To address these gaps, the authors introduce a witness‑endorsed architecture. When a user arrives at a location, the location authority issues a signed proof of presence, but the proof is only considered valid after a third‑party “witness” – another device that is physically co‑located – adds its own digital endorsement. The witness’s signature is designed to be anonymous, preventing the witness from being identified by the location authority or any external observer. This three‑party endorsement dramatically reduces the risk of collusion attacks because a false proof would require the cooperation of both the location authority and an independent witness.

The paper then focuses on protecting the chronological integrity of the entire proof chain while allowing users to disclose only selected subsequences to auditors. Two lightweight schemes are proposed:

1. Hash‑Chain Scheme – each new location proof contains the hash of the previous proof, forming a tamper‑evident chain. An auditor can verify any subsequence by checking the hash links at its endpoints, guaranteeing that the intermediate proofs have not been altered.

2. Bloom‑Filter Scheme – each proof’s identifier is inserted into a Bloom filter that is cumulatively updated after every visit. The auditor only needs to test whether the identifiers of the claimed subsequence are present in the final filter. This yields constant‑time verification and lower computational overhead, at the cost of a configurable false‑positive rate.

Both schemes are privacy‑preserving. The authors embed multi‑level hash values within each proof, enabling “granular” disclosure: an auditor can request coarse‑grained location data while finer details remain hidden. The witness endorsements use anonymous signature techniques, ensuring that the witness’s identity can be verified without being revealed.

A practical implementation on Android smartphones demonstrates feasibility. Experiments on a quad‑core 2 GHz device with 2 GB RAM show that generating a location proof (including witness endorsement) takes roughly 12 ms, while verification takes about 8 ms. The Bloom‑filter verification is about 30 % faster than the hash‑chain counterpart, and memory consumption stays below 200 KB, confirming suitability for power‑constrained mobile platforms.

The system model assumes devices can communicate via Wi‑Fi or Bluetooth to discover nearby location authorities and witnesses. All proofs are digitally signed with the public keys of the issuing authority and the witness, and a trusted timestamping service adds an immutable timestamp to thwart replay attacks. Proofs are stored locally on the user’s device; tampering is detectable because any modification breaks the cryptographic links or fails the Bloom‑filter membership test.

In the discussion, the authors compare their approach with prior work on distance‑bounding and GPS‑based proofs, highlighting superior resistance to collusion, better support for privacy‑preserving selective disclosure, and lower overhead suitable for large‑scale deployment. They acknowledge open challenges such as optimal witness selection, handling sparse witness availability, and integrating decentralized ledger technologies for even stronger immutability.

Overall, the paper presents a comprehensive, cryptographically sound framework that combines third‑party witness endorsement with efficient ordering mechanisms (hash chains and Bloom filters) to deliver secure, privacy‑aware, and scalable location provenance for modern mobile devices.