Authors: Samuele Mombelli and Thomas R. Souvignet
DFRWS EU 2026
Abstract
Geolocation traces extracted from mobile devices are increasingly used as critical evidence in forensic investigations, offering insights into user activity and physical presence. Yet, the opaque nature of geolocation processes—especially those relying on proprietary components—creates major challenges in assessing their provenance, accuracy, and reliability, and increases the risk of misinterpretation. This work investigates the internal mechanisms implemented by Android’s Fused Location Provider (FLP)—the core geolocation framework used by most Android devices today—through reverse engineering, dynamic testing and forensic analysis. It details how multiple sources of location data are fused into location fixes, and how contextual parameters influence geolocation calculations. The study also uncovers a set of previously undocumented local traces of geolocation activity, analyzing their structure, persistence, and forensic potential. Our findings highlight the complexity and adaptive nature of Android’s geolocation system and provide a technical foundation for the forensic interpretation of geolocation traces on Android devices.