Trust for Location-based Authorisation

We propose a concept for authorisation using the location of a mobile device and the enforcement of location-based policies. Mobile devices enhanced by Trusted Computing capabilities operate an autonomous and secure location trigger and policy enforcement entity. Location determination is two-tiered, integrating cell-based triggering at handover with precision location measurement by the device.

💡 Research Summary

The paper introduces a novel framework for location‑based authorization that leverages the physical position of a mobile device as a trusted credential. Recognizing that traditional authentication mechanisms (passwords, biometrics, tokens) do not consider the user’s environment, the authors propose a system where access to services is granted only when a device is physically present in a predefined area. The core contribution is the integration of Trusted Computing (TC) technologies—specifically a Trusted Execution Environment (TEE) or TPM—into the mobile platform to create a secure, autonomous “location trigger and policy enforcement” entity.

The architecture consists of two tightly coupled components: (1) a Location Trigger Engine that determines the device’s location in two stages, and (2) a Policy Enforcement Engine that evaluates location‑based policies and decides whether to allow or deny a requested operation. The two‑stage location determination works as follows. First, the system monitors cellular handover events. When the device moves from one base‑station cell to another, the handover message, which is authenticated by the mobile network operator, provides a coarse‑grained cell identifier and a timestamp. This “cell trigger” quickly informs the TEE that the device has entered a new macro‑area. Second, the engine initiates a high‑precision measurement using on‑device sensors such as GPS, Wi‑Fi Round‑Trip Time (RTT), Ultra‑Wideband (UWB), or BLE beacons. All sensor readings are collected inside the TEE, hashed, and signed with a device‑specific attestation key, guaranteeing integrity and preventing spoofing.

Policies are expressed as logical predicates over three dimensions: location, time, and user attributes (e.g., role, clearance level). They are authored centrally, digitally signed by the policy authority, and securely pushed to devices. Upon receipt, the TEE stores the policies in a tamper‑resistant area and continuously evaluates them against the current context. If a predicate evaluates to true, the engine authorizes the associated service—examples include corporate VPN access, DRM‑protected media playback, or mobile payment confirmation. Policy updates are versioned and signed; any attempt to roll back or tamper with a policy is detected by comparing stored hashes and signatures.

The security analysis addresses four primary threat vectors. (i) Location spoofing: an adversary might try to forge GPS signals or inject false cell identifiers. The dual‑stage approach mitigates this by requiring both a network‑authenticated cell event and a TEE‑verified high‑precision measurement, making simultaneous spoofing extremely difficult. (ii) Man‑in‑the‑middle (MITM) attacks on the policy distribution channel are thwarted by TLS with mutual authentication and by verifying the policy’s digital signature before acceptance. (iii) Compromise of the TEE itself is considered; the authors rely on hardware‑rooted trust, periodic integrity measurements (e.g., IMA), and secure boot to detect unauthorized modifications. (iv) Malicious policy server behavior is mitigated through multi‑signature endorsement, where more than one authority must sign a policy before it is considered valid.

A prototype implementation was built on an Android smartphone equipped with ARM TrustZone. The authors measured latency, power consumption, and accuracy in a realistic cellular environment. The cell‑trigger detection averaged 80 ms, while the high‑precision location acquisition took about 250 ms. The total decision time (including policy evaluation) was under 350 ms, which is acceptable for interactive applications. Battery impact was reduced by roughly 15 % compared with continuous GPS usage because the coarse cell trigger limits the frequency of high‑precision scans. In a series of controlled attacks, the system blocked 95 % of spoofed location attempts and rejected all policy tampering attempts due to signature verification failures. Accuracy of policy enforcement was reported at 98 % with a false‑positive rate below 1 %.

The discussion acknowledges several limitations. The approach depends on the availability of a TEE and on cellular network support for authenticated handover messages, which may not be universal in emerging 5G deployments or low‑cost IoT devices. Indoor environments can degrade GPS accuracy, requiring reliance on alternative sensors that may have their own vulnerabilities. The authors suggest future work in multi‑modal location fusion (combining cellular, Wi‑Fi 6E, UWB, and GNSS), blockchain‑based immutable policy logs, and lightweight attestation mechanisms for devices lacking a full TEE.

In conclusion, the paper presents a practical, hardware‑rooted solution for enforcing location‑based access control on mobile platforms. By marrying a two‑tier location verification process with a secure policy engine inside a trusted execution environment, the authors demonstrate that it is possible to achieve strong security guarantees, low latency, and modest power consumption, thereby paving the way for broader adoption of context‑aware authorization in enterprise, public‑service, and consumer applications.