Geolocation APIs: Accuracy, Evasion, and Legal Implications

By Alex Morgan, Head of Risk Engineering. Last reviewed: 2026-07-14. This article is for information only and is not legal advice.

Cold open

A driver crosses a city line at dusk. The app flips from “deliver” to “no-go.” On the map, the blue dot sits inside the zone. Yet the job vanishes. What went wrong? The location stack did. It mixed GPS, Wi‑Fi, cell, and IP in one fast guess. One signal lagged. Another was off by a block. Rules fired, and the run was lost.

What this guide will do

I will explain how geolocation APIs work in the real world, where accuracy breaks, how evasion shows up (at a high level), and what the law and app store rules expect. I will not give any steps to bypass checks or geofences.

Quick definition for readers and for search: a geolocation API lets an app ask the device or browser for the user’s place on Earth, with time, method, and error range. It can use GPS, Wi‑Fi, cell, sensors, and IP. See the MDN Geolocation API for the web model and events.

Is IP geolocation accurate? IP data can say a country, and often a city. It is weak at the street level. It is also wrong at times due to VPNs, proxies, mobile carrier NAT, or CDNs. It works best as a coarse hint, not as a gate by itself. For more on limits, see what IP geolocation can and cannot do.

The stack of signals: what “location” really is

Your app does not “have GPS.” It has a broker that blends many inputs. On Android, this is the Android Fused Location Provider. On iOS, it is Apple Core Location. These frameworks balance speed, battery, and precision. They also adapt to the scene: indoors, outdoors, moving, still.

GPS/GNSS is great in open sky. In city canyons, tall glass can reflect signals (this is “multipath”). The fix can drift by tens of meters. A “cold start” (first fix in a while) takes longer and may be less precise. A “warm start” is faster and better.

Wi‑Fi SSIDs help a lot in towns. Phones see nearby Wi‑Fi names and match them with a big map made from past scans. In many cases, Wi‑Fi can beat GPS for short time-to-fix. Wi‑Fi RTT (round trip time) can do indoor ranging on new phones and routers. See Wi‑Fi RTT on Android for details.

Cell towers and Assisted GPS improve start time. The network gives a hint of place (coarse), then GPS refines it. This is good for drive starts and rural cases, yet cell-only fixes have wide error circles.

IP-based geolocation is the coarsest. It depends on which network path your packets take. Mobile carriers, CDNs, and enterprise networks can shift the view. There is work to map IPs to places with better data. One tool is the RFC 8805 geofeed standard, which lets ISPs share IP-to-location hints. Still, IP should support, not lead, your decision.

How to read the comparison table

Below is a quick map of common signals. Values are typical ranges, not promises. Your results will vary by device, city shape, time of day, and user settings.

GPS / GNSS 3–10 m urban (can degrade near tall buildings), 5–20 m rural, worse indoors Medium to high (hard to fake well, but can be fed mock data on rooted/jailbroken devices) Cold: seconds to minutes; Warm: seconds Medium to high during active tracking Precise location; time stamps Core Location (iOS), Fused Location (Android), device GPS chip Needs clear consent for precise data; avoid over-collection and long retention
Wi‑Fi SSIDs (databases) 5–30 m urban; weak in low-density areas Medium (MAC randomization, stale DBs, or rogue APs can mislead) Fast once radios are on Low to medium Nearby network IDs can be personal data if linked to homes Core Location, Fused Location; third‑party DBs Disclose Wi‑Fi scan use; follow platform rules on background scans
Wi‑Fi RTT (802.11mc) 1–2 m indoors with supported routers and phones Medium (needs hardware support; harder to spoof well) Fast after calibration Medium Very precise indoor data Android Wi‑Fi RTT API Use only with clear, opt‑in consent for precise indoor fixes
Cell towers 100–1,000+ m; better in dense areas with many towers Low to medium Fast Low Coarse location Core Location, Fused Location Good for fallbacks and safety; do not use alone for strict fences
IP Geolocation Country: high; City: moderate; Street: poor Low (VPNs, proxies, carrier NAT) Instant Low Network identifiers can be personal data CDN or IP data providers Use as a hint; avoid sole reliance for compliance gates
Sensor fusion (OS fused provider) Best practical balance; varies by scene Medium (relies on device trust and OS integrity) Fast after warm‑up Managed by OS Mix of precise and coarse data Core Location, Fused Location Audit permissions, disclosures, and retention across all inputs

Where accuracy fails in the real world

Border effects hurt most. A 10 m drift near a state or city line can flip a rule. A user can be “in” by GPS and “out” by IP at the same time. If you must meet a law by line (tax, labor, or gaming), add a buffer zone and a soft review path.

Indoors vs outdoors is another pain point. In a mall or high‑rise, GPS fades. Wi‑Fi and sensors carry the load, but AP maps change. On a campus, one big Wi‑Fi mesh can make far spots look close. In rural zones, Wi‑Fi is sparse, so cell guesses grow wide.

App life cycle adds risk. When users stop moving, OS rules can throttle updates. If you ask for background location, both stores need strong user value and clear copy. If you drain battery, users will turn you off. That also kills accuracy.

Evasion exists — reason about it, do not teach it

People and bots try four broad paths: network masking (VPNs, proxies), device tampering (root/jailbreak, mock locations), sensor spoof (feed false data), and social tricks (borrowed accounts, fake photos). The goal is to look “in zone” when they are not. For a safe view of mobile risks, read the OWASP Mobile Security Testing Guide.

How to counter at a high level: blend many signals. Look for odd pairs, like GPS in one city but IP in another. Watch jumps that break speed limits. Track rapid flips between far places. Use risk scores, not hard “yes/no” on one signal. Give users a fair way to prove they are in the right place.

Device and platform checks help. On Android, use the Play Integrity API to see if the app runs on a trusted device and build. On iOS, stick to official APIs and watch for OS signs of tamper. Keep this high level. Do not break platform rules.

Ops matters as much as code. Flag but do not block low risk. Add friction for medium risk (extra prompt, selfie, or doc check if your law allows it). For high risk, block and offer a help path. Log facts, not PII, when you can. Explain your decision in simple words.

Legal and platform guardrails

Privacy laws treat location as sensitive

In the EU, precise location is personal data. Read GDPR’s definition of personal data. If you rely on consent, it must be free, clear, and easy to withdraw. The EDPB explains this in its note on valid consent for location data. In short: ask before you track, say why, and let people say no without harm if the feature is not core.

Enforcement and case law raise the stakes

In the U.S., the Supreme Court held that long‑term cell site data needs a warrant. See Carpenter v. United States on location privacy. Regulators also act on data flows. See the FTC enforcement around precise geolocation. If you sell, share, or mix precise location in risky ways, you may face action.

Platform rules on background location and disclosures

Stores set clear lines. On Android, read the Google Play background location rules. On iOS, see Apple’s user privacy requirements. Only ask for what you need, when you need it. Explain it in the prompt and in your product copy. If the value is not clear, your app may be rejected.

Regulated fields: geofencing is not a “nice to have”

In iGaming and sports betting, the law ties offers to state lines. See where online sports betting is legal in the U.S.. In these apps, a 20 m drift at a border can break a rule. Teams use many signals, a safety buffer, and a review flow to avoid false blocks and false allows. If you want neutral context on licensed sites by state, see the independent review hub at https://www.casinoreviewbank.com/. In ad‑tech, auctions also pass location hints. The spec names fields for lat/long, source, and accuracy. See the OpenRTB location signals.

Legal snapshots by region

  • EU/EEA: GDPR is the base. Precise location is high risk. Do a DPIA for broad tracking. Use DPA‑friendly settings by default.
  • U.S.: Mix of federal and state rules. Watch CPRA/CPA/CTDPA. Case law like Carpenter shapes law‑enforcement access.
  • Canada: PIPEDA and new bills raise bar on consent. Be clear on cross‑border flows.
  • U.K.: UK GDPR + PECR. Consent for precise location in ads is key.
  • APAC: Rules vary. Australia treats precise location as sensitive. Singapore PDPA needs clear purpose and limits.

No matter the region, a risk lens helps teams align. The NIST Privacy Framework is a good way to plan and review your controls.

Build vs. buy: how to choose

Start with a simple matrix. Columns: accuracy target (m), latency (ms), scale (RPS), privacy stance (data you will collect, store, share), scene mix (indoor, urban, rural), and legal needs (hard fence vs soft guide). If you need strict borders, plan buffers and manual review. If your need is “nearby store list,” you can relax.

When you talk to vendors, ask about: sensor mix, indoor support, drift over time, false allow/deny rates at borders, jailbreak/root detection, consent flows, and audit logs. Ask for a test plan and data export. Validate claims with a city test, a border test, and a mall test. If you work in ads or telecom, make sure they support standard fields and signals you use upstream or downstream, like the OpenRTB location signals you already saw above.

A 90‑second teardown: audit your location UX

  • Do users see a plain, short reason before the OS prompt?
  • Do you ask for “While Using” first, not “Always,” unless core to the app?
  • Is there a clear “Learn more” link and a way to change settings later?
  • Do you show an error and next steps when location is off or weak?
  • At borders, do you add a small buffer and a “Check again” action?
  • Do you log method and error radius (not raw PII) to debug bad calls?

What to track next quarter

Track: median error by scene (indoor/outdoor), percent of “method = IP only,” rate of border false blocks, rate of user appeals, time to resolve appeals, and battery impact on the top five devices. Watch drift. AP maps and tower maps change. Your model can “rot” if you do not review stats and retrain logic. Set alerts for odd jumps in these metrics.

FAQ

Why do two phones side by side disagree?

They may use different chips, OS versions, or data sets. One may prefer GPS, the other Wi‑Fi. One may have a cold start. One may see a different set of APs. Both can be “right” within their error circles.

Can I rely only on IP data?

No. IP is fine as a hint or to block clear out‑of‑country access. It is not safe for city or state lines. Blend it with GPS, Wi‑Fi, and device trust checks. Add a review path for edge cases.

Is VPN use illegal by itself?

No, VPNs are legal in most places. But using a VPN to break a law or a contract can still bring risk to the user and to your app if you fail to catch it. Focus on risk, not on the tool name.

A short field guide to real‑world trade‑offs

  • Speed vs. accuracy: a fast coarse fix helps UX; do a refine pass before you enforce a hard line.
  • Battery vs. trust: tight, high‑rate GPS burns power; use it only when you must, and explain why.
  • Privacy vs. debug: log what you need to fix bugs, not raw trails; rotate IDs and trim retention.
  • False blocks vs. false allows: in safety or legal use, bias to caution; in retail browse, bias to ease.
  • One fix vs. many: a single method lies more often than a blended set of signals.

Implementation notes without code

Use the OS fused provider first. Ask for foreground access at the point of need. When you must run in the background, tie it to a core value (safety, turn‑by‑turn). Sample at a sane rate. At hard borders, keep a small no‑go buffer to the outside. When the fix is near the line, ask users to wait a bit and try again.

Do not rely on raw lat/long alone. Keep the error radius and method. If a user is 15 m from the line with a 30 m error, treat that as “unknown” and add light friction, not a hard block. For fraud checks, look for device tamper and odd network paths. Keep your policy in line with store rules and local law.

Case study sketch (no names)

A rideshare app saw cancel spikes at an airport. GPS drifted near tall glass. IP showed a POP in another city. Fix: they added Wi‑Fi hints and a 50 m buffer. They split the flow: “wait here” with a timer if near the line. Cancels dropped 38% and driver pay errors fell 22%.

Common pitfalls to avoid

  • Blocking by IP alone at borders.
  • Asking for “Always” location at first launch with no clear value.
  • No appeal path for users who are on the right side but blocked by drift.
  • Storing precise trails forever “just in case.”
  • Skipping legal and store rule reviews when you change tracking.

Compliance checklist (non‑exhaustive)

  • Get clear user consent for precise location. Let users say no.
  • Write a short, plain notice: what, why, for how long, who gets data.
  • Limit collection to what you need. Trim logs. Protect exports.
  • Review laws in your markets and keep a changelog of policy updates.
  • Test border behavior in the field before each major release.

Closing note

Geolocation accuracy is not a fixed truth. It is a moving mix of signals, scenes, and rules. Teams that respect limits, plan for drift, and build trust do better over time. That trust, paired with solid compliance, compounds.

About the author

Alex Morgan leads risk and location engineering at a global app brand. 12+ years shipping mobile systems in regulated fields. Built cross‑border geofencing, fraud scoring, and consent flows at scale.

Get in touch!

We’d love to hear from you, you attractive person you.