IEEE TRANSACTIONS ON EMERGING TOPICS IN COMPUTING 1 WORAL: A Witness Oriented Secure Location Provenance Framework for Mobile Devices Ragib Hasan, Rasib Khan, Shams Zawoad, and Md Munirul Haque Abstract—Location based services allow mobile device users to access various services based on the users’ current physical location information. Path-critical applications, such as supply chain verification, require a chronological ordering of location proofs. It is a significant challenge in distributed and user-centric architectures for users to prove their presence and the path of travel in a privacy-protected and secure manner. So far, proposed schemes for secure location proofs are mostly subject to tampering, not resistant to collusion attacks, do not offer preservation of the provenance, and are not flexible enough for users to prove their provenance of location proofs. In this paper, we present WORAL, a complete ready-to-deploy framework for generating and validating witness oriented asserted location provenance records. The WORAL framework is based on the Asserted Location Proof protocol [1] and the OTIT model [2] for generating secure location provenance on the mobile devices. WORAL allows user-centric, collusion resistant, tamper-evident, privacy protected, verifiable, and provenance preserving location proofs for mobile devices. The paper presents the schematic development, feasibility of usage, comparative advantage over similar protocols, and implementation of WORAL for Android device users including a Google Glass based client for enhanced usability. Index Terms—Location Assertion; Location Proof; Location Provenance; Location Security; Witness Endorsement; WORAL ✦ 1 I NTRODUCTION M OBILE devices have enhanced the use of location- based services (LBS) using the geographical locations of the devices [3]. LBS use location tags, such as in social networks, shopping coupons, traffic alerts, and travel logs. However, LBS dependent on location proofs collected by the user have more interesting features and applications. An auditor can later verify the claim of presence with respect to the user’s identity, the location in question, and the time when the user was present at that location. However, untrustworthy location reporting have implications ranging from trivial cases, such as, cheating in social-games [4], to national security issues [5]. Self-reported location presence using Global Positioning System (GPS) coordinates, cell triangulation in mobile phones, and IP address tracking are all susceptible to manipulated and false location claims [6]. Continuous tracking of users by service providers including third-party applications violates the users’ privacy, allows traceable identities, and makes the users defenseless against untrusted service providers [7]. The service providers may also sell the location data of their users taking advantage of the small- text in the service agreements [8]. Buggy and insecure implementations aggravate the situation even further. Provenance of information is important for tracing the authenticity of the data back to its source [9, 10]. The provenance of location is a crucial requirement in path • Ragib Hasan (ragib@cis.uab.edu), Rasib Khan (rasib@cis.uab.edu), Shams Zawoad (zawoad@cis.uab.edu), and Md Munirul Haque (mhaque@cis.uab.edu), SECuRE and Trustworthy computing Lab (SECRETLab), Department of Computer and Information Sciences, University of Alabama at Birmingham, AL 35294-1170, USA. critical scenarios. A valid claim of travel path needs to be verified in terms of the location provenance. The integrity of a product may be highly justified by the supply chain and the intermediate locations which the product travels through [11]. Provenance for location is a continuous process and is required to be preserved as the user travels around collecting location proofs. Unlike general data items, the sequence in which the locations are traveled needs to be preserved in chronological order within the provenance chain. As a result, location provenance portrays a greater challenge than that for general data items [2]. There have been numerous proposals for allowing user initiated location proof generation [3, 12–15]. A localization authority covering the area utilizes some secure distance- bounding mechanism to ensure the user’s presence when the user requests for a location proof [16–18]. However, existing mechanisms overlook collusion attacks as well as the provenance of the location proofs. Related works thus far have not considered third-party endorsement and the chronological ordering for secure location proofs together, which makes the schemes vulnerable to collusion attacks and tampering with the order of the proofs [3, 6, 7, 12–25]. The following illustrates the practicality of a secure and asserted location provenance framework. Bob is an engineer at a construction company. The company requires Bob to travel to the construction sites and create a daily report of the project status. Unfortunately, Bob is charged with negligence towards his job when the company suffered a major loss due to an accident. The inspection report that Bob presented was discarded for being a false document as the company claimed that Bob did not visit the construction site and the accident was a result of his negligence. In an alternate scenario, Bob collects location provenance records as he visits each of the