Skip to main content

4 posts tagged with "vpn"

View All Tags
MissedRemote accessVPNFake GPS appJailbreak / Root★ Pinned

Radar / Wind Creek Casino Online PA: iOS RDP, DroidVNC + Tailscale, and Android VPN undetected (results June 19)

RadarWind Creek Bethlehem
radarwind-creekwind-creek-bethlehempennsylvaniardp

Source. June 23, 2026 weekly sync.
Ticket. CIV-91: Wind Creek Bethlehem PA — environment compliance updates.

What we tested

Full integration testing of Wind Creek Casino Online PA (Radar) across iOS, Android, and browser. Results delivered June 19.

What happened

TestResultDetail
RDP — iOS FaceTime & iPhone Mirroring✗ Non-compliantNot detected. User outside PA (TN) remotely controls an in-state iPhone and places bets. In-state user must log in first; remote user controls the screen from there.
RDP — Android DroidVNC + Tailscale✗ Non-compliantNot detected. Remote user in an excluded state places bets on a PA Android device using DroidVNC and Tailscale together.
VPN — Android (Turbo VPN)✗ Non-compliantNot detected on Android. User logged in, placed bets, and played casino with VPN active.
VPN — iOS✓ CompliantVPN detected at login and mid-session.
RDP — Android (TeamViewer, AnyDesk, HopToDesk)✓ CompliantDetected at login or interval check.
Fake location — Android (FLA)✓ CompliantDetected before and during a gaming session.
Cross-border into exclusion state✓ CompliantUser fails geolocation at or just past the border (~90 m buffer).
Rooted Android + mocked location⚠️ Compliant*User fails for mock location / jurisdiction errors. Root itself not detected, but mocked location is caught. With GPS JoyStick the failure took longer — suggesting IP mismatch or low confidence score rather than direct root detection.

UX issues — new user flow & deposit

Operator-side friction observed during the same test cycle (not Radar detection failures, but worth tracking):

  • Android Galaxy S16 deposit loop: debit card deposit failed and sent the user into a loop — account flagged for Wind Creek approval with no timeline and no clear prompt. User attempted 3 times before abandoning.
  • ID verification false positive: notification asked user to close any app using the camera (triggered by screen recording). User bypassed by restarting the app — screen recording continued undetected.
  • No autofill for address, phone, or email on either platform.
  • Deposit methods limited to PayPal, Venmo, and debit card only.

Why it matters

Three undetected vectors on the same Radar deployment while the "standard toolkit" checks pass — native iOS screen sharing, Android DroidVNC + Tailscale, and Android VPN. The compliant iOS VPN handling directly contrasts with the undetected iOS RDP gap.

Cross-reference

Radar profile → · June 23 weekly sync →

MissedBoundary crossingRemote accessVPNNear border

Locance (LocationSmart) / Luxury Casino Ontario: cross-border play, RDP, and Android VPN gaps; Mac VPN blocked

LocanceLuxury Casino
locancelocationsmartluxury-casinoontarioquebec

Source. June 16, 2026 weekly sync.
Ticket. CIV-54: Locance (LocationSmart) — full validation.

What we tested

Integration validation of Locance (LocationSmart) on Luxury Casino Ontario — cross-border movement between Ontario and Quebec, remote access (TeamViewer, AnyDesk, HopToDesk on desktop and Android), VPN usage across Mac / Android / iOS, and near-border location accuracy on iOS.

What happened

AreaResultNotes
Cross-border play (ON ↔ QC)✗ Non-compliantWagering was possible for multiple kilometres across the provincial boundary in both directions with no friction.
Remote access (TeamViewer, AnyDesk, HopToDesk)✗ UndetectedGameplay continued with active remote control on desktop and Android solutions with little to no friction.
VPN — Mac✓ DetectedVPN / proxy usage was identified; platform access denied.
VPN — Android✗ UndetectedActive VPN tunneling was not blocked; user authenticated and wagered.
VPN — iOS⚠️ Blocked, no UXAccess was denied with VPN enabled, but no error message or troubleshooting guidance was shown.
Near-border UX (iOS)✗ Poor accuracy~100–150 m from the border the app placed the user in Quebec despite a physical Ontario location.

Why it matters

Locance failed on the two vectors regulators care about most on a border-adjacent Ontario deployment: jurisdictional containment (cross- border play for kilometres) and remote session control (three major RDP tools undetected). VPN handling is inconsistent across platforms — Android is fully open, iOS blocks silently — which is both a compliance gap and an operator-support problem. The near-border mis-location suggests geofence accuracy degrades exactly where enforcement should be strictest.

Cross-reference

Locance profile → · June 16 weekly sync →

MissedVPNComplianceUX / messaging

GeoLocs / mkodo at OLG (Ontario): VPN-from-Ontario allowed when location services are on; Netherlands VPN only blocked on re-entry, no user-facing error

GeoLocsOLG (Ontario Lottery & Gaming)
geolocsmkodoolgvpnontario

Source. May 26, 2026 weekly sync.
Ticket. CIV-52: Ontario — mkodo / GeoLocs — Compliance Failures & Retest (Casumo, High Flyer, OLG).

What we tested

Two VPN scenarios against the OLG (Ontario Lottery and Gaming) web app, geolocated by GeoLocs / mkodo:

  1. Ontario-based VPN — exit-node inside the licensed jurisdiction.
  2. Netherlands-based VPN — out-of-jurisdiction exit node.

In both cases device location services were left active so the system had a real GPS signal alongside the VPN IP.

What happened

  • Ontario-based VPN was authorised when location services remained active. Unrestricted gameplay and wagering were permitted — the VPN itself was not flagged.
  • Netherlands-based VPN did not trigger any immediate session termination. The user was able to keep playing.
  • Detection only fired on re-entry — when the user exited a game and tried to come back in, the system finally prohibited access.
  • No explanatory error notification was shown to the user at the point of block. Silent failure on a compliance event.

Why it matters

Two distinct failure modes in one test:

  1. VPN-tolerance when device GPS agrees. A VPN with an in-state exit-node is fine, even though VPN-detection is a normal column of any modern compliance stack. Anyone wanting to obscure their network identity inside Ontario faces no friction.
  2. Late, silent block on out-of-state VPN. The system does eventually detect the Netherlands VPN, but only at a session boundary — and tells the user nothing. From the user's perspective the platform "just stopped working."

This combines into a UX-and-compliance double failure: the wrong thing is allowed, the right thing is detected too late, and the user is never told what happened.

Cross-reference

GeoLocs profile → · May 26 weekly sync →

MissedVPNFake GPS appEmulator

High Flyer Casino TN: location spoofing succeeds on iOS + Android — bets placed from outside Tennessee, blocks only enforced at game level

GeoLocsHigh Flyer Casino
geolocsmkodohighflyer-tniosandroid

Source. May 26, 2026 weekly sync.
Ticket. CIV-52: Ontario — mkodo / GeoLocs — Compliance Failures & Retest (Casumo, High Flyer, OLG).

What we tested

Whether High Flyer Casino (Tennessee) could be accessed and wagered on from outside the licensed state using common consumer-grade spoofing combinations:

  • iOS — Safari + iAnyGo location-spoofing tool + VPN.
  • Android — equivalent setup.
  • iOS Emulator — for comparison against the native iOS path.

What happened

  • iOS path succeeded. Bets placed from outside Tennessee with no website-level block.
  • Android path succeeded. Same outcome.
  • iOS Emulator test produced identical results to native Android — the platform does not differentiate the emulated environment.
  • Some individual games returned location errors — but this enforcement comes from the game providers themselves, not from the sportsbook integration. Coverage is therefore inconsistent and per-title rather than per-jurisdiction.

Why it matters

The geolocation controls at the platform level are effectively absent for this operator on the most common consumer spoofing toolchain (VPN + commodity iOS spoofer). When detection does fire, it fires from game providers rather than from the operator's compliance layer — meaning enforcement depends on which game the user happens to open, not on a coherent jurisdictional decision.

Cross-reference

GeoLocs profile → · May 26 weekly sync →