Store Location Information
| Plan | Platforms | MASVS |
|---|---|---|
| Enterprise | Android, iOS | Not mapped |
Overview
The Store Location Information control performs server-side geographic location lookup on stored client IP addresses. This derives approximate country-level location data for each connection, enabling geographic analytics, access pattern monitoring, and compliance reporting.
Plan Requirement
- Plan: Enterprise only
- Platforms: iOS, Android (server-side feature)
Dependency
Requires: Store IP Address must be enabled
This control depends on the Store IP Address control. If Store IP Address is disabled, location lookup cannot be performed and this control will not function.
How It Works
When a protected application sends security telemetry to the MobileDefender backend:
- IP Capture: The client's IP address is extracted from the incoming HTTP request
- GeoIP Lookup: The server performs a real-time lookup using a pre-loaded IP geolocation database (IP2Location-based data)
- Storage: The 2-letter ISO country code (e.g.,
US,CA,GB) is stored alongside the event in the database - Fallback: If the lookup fails or the IP is not found, the country is recorded as
NA(Not Available)
Important: The lookup happens synchronously at the time the event is received. No location data is ever sent from the client device—all geolocation is performed server-side from the IP address.
Data Stored
| Field | Description | Example |
|---|---|---|
country | 2-letter ISO 3166-1 alpha-2 country code | US, CA, GB, DE, JP, NA |
The country code is stored in the device_events and device_info database tables and indexed for efficient querying.
Accuracy and Limitations
Approximate Location Only
- Country-level accuracy: The GeoIP database provides country-level resolution only. City, region, or precise coordinates are not available.
- IP assignment changes: Mobile carriers, VPNs, and dynamic IP allocation can result in location inaccuracies.
- VPN & Proxy: If users connect through VPN or proxy services, the country reflects the exit node location, not the user's physical location.
Not Suitable For
- Precise user tracking or targeting
- Legal jurisdiction determination
- Address verification or fraud prevention requiring high precision
Best Suited For
- High-level geographic distribution analytics
- Regional access pattern monitoring
- Compliance reporting and audit trails
Privacy Statement
No device GPS or location permissions are used. This control is entirely server-side and derives location solely from the network IP address provided by the internet connection.
- The client device does not access location services
- No iOS
CoreLocationor AndroidLocationManagerAPIs are invoked - No user-facing location permission prompts are triggered
This approach ensures user privacy while enabling geographic analytics for security and compliance purposes.
Use Cases
- Geographic Analytics: Understand the geographic distribution of your application's user base
- Access Pattern Monitoring: Detect unusual access patterns (e.g., rapid geographic shifts suggesting credential sharing)
- Compliance Reporting: Generate country-level usage reports for data sovereignty audits
- Security Analytics: Identify suspicious activity originating from unexpected regions
- Capacity Planning: Optimize infrastructure placement based on user distribution
Data Retention
Location data is retained alongside the associated events:
- device_events: 9 weeks (63 days)
- device_info: 2 months (~60 days)
Older data is automatically purged using time-based partitioning to comply with data minimization principles.
Support Matrix
| Feature | Android | iOS |
|---|---|---|
| Server-Side GeoIP Lookup | ✓ | ✓ |
| Country-Level Resolution | ✓ | ✓ |
| Zero Client-Side Permission | ✓ | ✓ |
How to Enable the Control
Navigate to Device Settings from the AppTego portal, and expand the Telemetry And Analytics section. Under this section you will find the Store Approximate Location control. Click Enable to enable it for the next build or for it to be applied with a live push (if enabled).
API Configuration Example
{
"StoreLocation": {
"protection": true
}
}| Field | Purpose |
|---|---|
protection | Enables store approximate location for protected apps. |
Configuration
This control is enabled or disabled at the tenant level. When enabled:
- The backend performs GeoIP lookup on all incoming events
- Country codes are stored in the database and available for analytics
When disabled:
- No GeoIP lookup is performed
- The
countryfield is set toNAfor all events - Geographic analytics are unavailable
Note: Store IP Address must also be enabled. If Store IP Address is disabled, this control will be automatically disabled.
Contact your MobileDefender administrator to enable this control.