I have faced a problem with securing backend API in case when I can’t trust a consumer.
I have a mobile app which uses GPS coordinates. After some calculation app sends GPS coordinates to backend service. I can’t find a reliable solution to avoid faking requests from app to backend service. Some user can sniff traffic that goes from app to backend and just fake real GPS coordinates.
Is there any solution how to avoid this type of cheating? Was thinking about end-to-end encryption, but still, since some “secret key” should be stored on client side – it is possible to get it or even change it in order to see http request structure.