As you correctly stated, if the user has control over her device, it is not possible to stop cheating. She can monitor the GPS input, reverse-engine the code, identify encryption (if any) and send the request accordingly.

Obfuscation is questionable, it may slow down (but wont stop) the attacker. You will hurt your own debugging capabilities and clean design.

The proper design is the following: send the request in clear text for your API, but sign it. Your API should reject all requests which is signed incorrectly. Just add one more parameter field to your api, which contains the signature.

You can use your own PKI or simple hash generation (if performance is an issue). Of course, the attacker can still reverse-engine the signature algo, but let's suppose she hasn't got the skill.

As you correctly stated, if the user has control over her device, it is not possible to stop cheating. She can monitor the GPS input, reverse-engine the code, identify encryption (if any) and send the request accordingly.

Obfuscation is questionable, it may slow down (but wont stop) the attacker. You will hurt your own debugging capabilities and clean design.

The proper design is the following: send the request in clear text for your API, but sign it. Your API should reject all requests which is signed incorrectly. Just add one more parameter field to your api, which contains the signature.

You can use your own PKI or simple hash generation (if performance is an issue). Of course, the attacker can still reverse-engine the signature algo, but let's suppose she hasn't got the skill.

Edit: I suggest you to include timestamp to the API to prevent replay attack. (Of course the timestamp should be digitally signed along with the rest of the data). This way your users can not save location URL strings and manually replay it when they are not at that area. Without timestamps they could do that regardless of the use of encryption.