Testing Mobile Apps & Devices with GPS Spoofing
At TestDevLab we not only provide your usual manual and automated software testing services for various platforms but also advanced testing solutions. We have written before about our mobile app battery usage testing solution as well as a solution that we built for testing audio quality in VoIP applications.
Today let’s talk about an interesting addition to our testing lab – GPS signal simulation solution. This article will focus on simulation and testing of location-based software to ensure that the software product behaves as expected in a simulated GPS environment.
A bit of history for starters
A few centuries back in 1836, Michael Faraday observed that the excess charge on a charged conductor resided only on its exterior and had no influence on anything enclosed within it. To demonstrate this fact, he built a room coated with metal foil and allowed high-voltage discharges from an electrostatic generator to strike the outside of the room, within the cage the electromagnetic charge had no effect. Nowadays devices have built-in Mobile data, WiFi, Bluetooth and location services and are all based on electromagnetic radiation. This part is important, because we will need Faraday box later in our testing.
One of the location services is the Global Navigation Satellite System (GNSS). It refers to a constellation of satellites providing signals from space that transmit positioning and timing data to GNSS receivers. Global Positioning System (GPS) is a satellite-based radio navigation system mainly used by many applications to obtain a precise location. Several countries have developed or are in the process of setting up other global or regional satellite navigation systems that can be picked up by the location receiver such as GLONASS, BDS, NAVIC, GALILEO, and others.
There are several reasons as to why one would like to use a special global navigation satellite system (GNSS) hardware to spoof GPS or other satellite system signals. For one, an intended GNSS spoofing i.e. generation of a valid and accurate satellite signal for in-lab position movement testing. Or doing non-functional testing, like loss of signal for several seconds, signal fading as a consequence of signal degradation from multiple reflections in an urban environment. All these tests can open up new possibilities for mobile application testers. Nowadays, so many mobile applications use end-users device location in some way, some as a functional part of their product, some for analytics.
Global Navigation Satellite System (GNSS) basics
The simulation described in this article is different from a more common location spoofing as it is not only about the fake coordinates, it takes a complete GNSS transmitter simulation in an isolated environment. We want to emphasize that with our solution we can simulate location change in movement by also introducing the interruptions in signal reception.
There are several GNSS simulation capable hardware devices on the market from the likes of Rohde & Schwarz, RaceLogic, Spectracom (Pendulum) and IFEN Inc. The price and capabilities can vary significantly. For mobile applications where locations are used as a functional part of the application – trajectory, environment and event simulations can be classified as essential. For each application testing scenario can be defined separately.
Pendulum GSG-5 unit and StudioView will be references in this text, as this hardware and software are actually used for GNSS simulation purposes in our offices. Pendulum GSG-5 unit is capable of simulating up to 16 simultaneous GNSS signals. The version that we use offers up to 5 simultaneous L1 band GPS signals, that are enough to get an acceptable position fix in terms of accuracy. Different GNSS scenarios can be added and edited via provided StudioView software or standard commands for programmable instruments (SCPI) if the software is not an option. StudioView provides an excellent and intuitive user interface for different scenario building.
GNSS simulation scenario is defined by the following:
- navigation data or ephemeris of the satellite location;
- trajectory data;
- event data to simulate direct or indirect signal loss;
- antenna model to change the antenna radiation model;
- environment or line of sight restrictions;
- interference and multipath signals due to the environment.
Let’s create a scenario
Creating a scenario is as straightforward as it gets if the user decides to use StudioView software. First, we need to specify the basic information of the scenario:
- simulation date and time;
- duration;
- start position in geographical coordinates;
- start position in earth-centered coordinates;
- lead second adjustment.
GSG-5 unit comes with StudioView software, where trajectory can be added, point by point (see Image 2). This manual work is non-productive as many simulations are not static i.e. devices are moving with varying speeds. Doing manual editing requires adding positional and velocity data for each point. Standard GNSS data update rates are in order of Hz, 1Hz, 10Hz, 20Hz and the limit is 50Hz. Adding 10 to 20 points for 1 second of simulation is a waste of time, that’s why there are different solutions. One of the easiest methods – GPS/GNSS logger devices, that log National Marine Electronics Association (NMEA) coded data to a file or serial port.
Example NMEA formatted GNSS log data:
$GPRMC,000000.000,A,1541.7808,N,01913.9259,E,19.44,34.49,210519,,*04
$GPGGA,000000.000,1541.7808,N,01913.9259,E,1,,,0.0,M,,M,,,*4B
$GPRMC,000001.000,A,1541.7853,N,01913.9291,E,19.44,34.49,210519,,*0F
RMC and GGA data are most commonly used to describe location, velocity, and altitude. To successfully build a scenario, these data strings should be present. The first two letters describe the satellite system data is logged from i.e GP – GPS, GN – GLONASS, GA – GALILEO GQ – QZSS. The accepted strings depend on the GSG-5 unit’s options, in the case of the L1 option, only GP prefixed NMEA data are accepted. If during the logging no GP data were logged i.e. no GPS satellites were used, a simple script can be used to modify GN, GA, GQ prefixed strings to GP.
Repeating of a real-world scenario
So the simulation can be recorded from a mobile device or GNSS receiver in real-world conditions and repeated in our environment by using the GSG-5 unit. Free-to-use apps for mobile phones that are capable of logging to GPS exchange format (GPX), NMEA or other formats might be used as well. All the formats are acceptable if the following conditions for data are met:
- positional data;
- velocity data;
- altitude data (not mandatory).
GSG-5 unit accepts only NMEA formatted data, so if GPX is used, it must be converted to NMEA. The example is GPS Logger for Android (Image 3) which supports the GPX and NMEA formats. It is possible to record the scenario by using a Garmin handheld GPS navigator in places with high signal loss or GPS anomalies. An example would be an exotic trip recording from the Pokaiņi forest in Latvia. A scenario recording then will need to limit the number of satellite signals captured so that the GSG-5 simulation can replay with 5 simulated satellites.
Environment
The signal reception is strongly affected by the environmental conditions and most commonly the weather conditions, reinforced concrete buildings (large shopping centers, Airports, bridges and underground tunnels) with thick walls or metal constructions (cars, roofs, elevators) can cause an unpredictable result when it comes to the stability of communication and location accuracy.
Technology advancements have done a lot to mitigate these factors and combine technologies that help to stabilize the impact of these obstructions. This is good for us but it challenges the environment simulation and testing. So we have to use a shielded box to enclose the devices under test which is capable of weakening the reception of real GNSS signal.
GPS simulation box
In this experiment we use USRP B200 Universal Software Radio Peripheral configured to receive the signal from a signal source close to the box. Generally, USRP B200 is an SDR transceiver module with frequency coverage from 70 MHz – 6 GHz. The powerful USRP B200 is precise enough to simulate a mobile cell (BTS), but in this case it will be measuring the signal weakening from our “Faraday box”. The SGS5 is using 1.6 GHz frequency which is very close to the L1 GPS signal that will be using here.
Faraday boxes
For all you DIYers out there, here is an experiment to show how well a regular tin foil box can block the radio waves. From a practical standpoint, the concept of the Faraday box can be achieved by a closed metal box or even better two not connected boxes within each other. The EMI attenuation varies depending on the selected material (copper, aluminum, steel or lead) and the thickness of the walls that affect the material cost. We also consider the signal power and frequency in this experiment. To demonstrate the effectiveness of a homemade isolation box vs a professional made one, we have gathered some candidates that potentially have some signal weakening properties. First, let’s have a look at the boxes we have tried:
- Double shielded box with pink padding
- Double shielded box-in-a-box
- Aluminum tin foil shielded ferrous microwave oven
- Lunch box covered with thick aluminum tape
- Investigation box with gloves and a window from Holland Shielding Systems
We have gathered some boxes that were made for different projects and will now evaluate the shielding effectiveness. For that, there is a couple of double-shielded box-in-a-box type of prototypes that also have USB connections for a mobile device, regular tinfoil covered lunch box and also a modified microwave oven that was completely disassembled and covered with aluminum tape and has a built-in USB webcam for visual inspection. The most promising candidate is, however, a heavy-duty steel investigation box from Holland Shielding Systems. This box is designed for medium performance shielding and also has all sorts of USB, Power, network connectors that are shielded and for instance, allow having a wireless router inside or to have an automated mobile test setup. The investigation box has a window and interior lights for better visibility during the inspection with shielded gloves. The price is a strong factor but a robust setup requires some investment.
The results show how well the shielding box attenuates the signal over a constant distance between the sender and receiver. The results clearly indicate that single shielded and completely closed boxes will not block much of the 1.6 GHz signal, even more, the frequency increase will decrease the shielding performance. Here the winner is HS investigation box but Double-shielded boxes are an honorable mention as they will be effective for simulation of most cellular signal loss (1G – LTE), considering the greater distance from the cell tower. A word about the microwave oven – even though it is designed to shield around 2.4 GHz microwaves, the performance in our tests, even with a completely shielded window was not the best. It can be combined with another box for double shielding as can be seen in this video.
The tests with having a WiFi router inside the HS investigation box showed that most devices can receive a 5GHz band signal with medium strength from less than 1-meter distance, yet this also is not detectable from 2 meters from the box.
GPS spoofing lab
The location services on a smartphone cannot be tricked that easily. Location services consist of a combination of different technologies and sensors which allow obtaining precise location and direction within a fraction of a second. However, the shielding we use disconnects smartphones from most of the location sources like a cellular network, WiFi, Bluetooth and GPS itself and a mismatch of these will be corrected to avoid GPS signal spoofing.
Then the phone needs to fix it’s the location to the simulated signal only. For that reason, the GSG-5 equipment simulates the L1 GPS signal and provides 5 satellite channels for location fixation. Any smartphone will store a location cache to speed up the location detection after reboot, so this needs to be cleared to simulate GPS cold-start condition within the box so the phone will fix location to the only location source (our GPS simulation device) within minutes. The GPS simulation can be checked with Android and iOS platforms by using Applications like GPS test for Android and GPS Diagnostic: Satellite Test for iOS.
Next we start the navigation scenario in GSG-5 and feed in the data captured with an Android device from a real navigation trip. GSG-5 can playback this GPS data simulation with location changes, signal loss and other simulated impairments for hours and we can control device functional and performance tests from outside the box by using the isolated connections to the computer, network, and power. The simulations can be then combined with an automated GPS scenario as the GSG-5 communicates through VISA laboratory equipment protocol and a test driver can adapt the SCPI commands as addition to some already automated tests so that the test engineer does not have to use the shielded gloves for manual testing.
The example lab setup was used for one of our customers where the GPS simulation was combined with the actual power and network consumption measurements of the location-based application product. The next step is to automate all the puzzle pieces for a complete mobile automated test setup with GSG-5 scenarios from any real or generated location. The primary use case for a GPS laboratory is mobile application testing, but it is not limited to only that. Any GPS based product which fits in the box can be debugged in a simulated environment, including smart wearables, e-scooter controllers, drones and many more. Here is an example of a drone fitted into the box to test if it can simulate sending the coordinates for the crash location.
If your product uses location services and you have doubts if it is working correctly, contact us, and let’s see how we can help improve it.