This document discusses SDK spoofing, which is when attribution data from mobile apps is falsified. It can affect metrics like impressions, clicks, installs and revenue. SDK spoofing undermines the ability to understand real user behavior and evaluate test performance. While closed source SDKs and server-to-server integrations don't prevent spoofing, SDK signatures that are costly to crack can help by making spoofing less economically viable. The document advises app developers to protect internal data, evaluate which SDKs are at risk, and communicate with partners about SDK spoofing issues.
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
Demystifying SDK Spoofing
1. BERLIN • NEW YORK • SAN FRANCISCO • SÃO PAULO • PARIS • LONDON • MOSCOW • ISTANBUL
SEOUL • SHANGHAI • BEIJING • TOKYO • MUMBAI • SINGAPORE
Demystifying
SDK Spoofing
12. 12
‣ Impressions
‣ Clicks
‣ Installs
‣ Sessions
‣ Events
‣ Revenue
‣ KPIs (LTV, Retention…)
‣ Callbacks to your BI
‣ Callbacks to partners
‣ Fraud prevention
What’s affected?
Spoof the network SDK
Spoof the attribution provider
No longer objective
13. 13
‣ You lose the ability to know what realistic data should look like.
‣ You can’t guarantee your test group is clean of spoofed data.
‣ …how do you know what KPIs “look good”?
“Common Sense” Fraud Prevention
15. 15
‣ Apple and Google telling us what is legit and what isn’t.
‣ …maybe one day.
The Perfect Solution…
16. 16
‣ Any claim that an SDK is “spoof-proof” is demonstrably false
‣ Closed source SDK? Nope
‣ Sending data to an attribution provider S2S? Nah
‣ Buzzword nonsense? Uh…
‣ These solutions don’t work because the spoofer controls both the
source of data and the means of delivery.
Step 1: Don’t believe the hype
17. 17
‣ Goal: To ensure data came from a real app running on a real device.
‣ Shared secret, or SDK signature.
‣ This too can be spoofed.
‣ The only solution is to price spoofers out:
‣ Make them hire a securities expert
‣ Make each signature cost money to crack
Step 2: SDK Signature
18. 18
So… now what?
Chase up your
partners
Protect your
internal data
Shortlist which
SDKs are at risk
- SDK spoofing doesn’t come up enough in product research
Quickest growing type of fraud we’re observing exponentially
From thinktank/research, needs to be talked about more
SafeDK: End of 2017, average app = 18.5SDKs.
All send data
Focus on Attrib but applies to all
“Direct communication”
Payloads (lists of information)
SIDENOTE:
S2S integration explanation
Non-direct connections: Routers, VPNs, sharing net connection on LANs
Proxy servers look identical to the sender
To the attrib provider this looks like the prior direct connection
The spoofer controls both the source of data and the delivery method (dataflow)
Spoofer can change variables on the device, see how attrib provider responds, and creates a positive feedback loop to train themselves how to crack the data
Then…
They can now freely send ‘legitimate’ SDK data to the endpoint
“The spoofer has access to 600m devices through whatever means… and the data he has is IDENTICAL”
(This ruins ranking of devices)
- So, which of these can be spoofed? Uh oh…
Because of the nature (spoofer controls source & transmission) the answer is all of them
Let’s stick with the attribution related stuff
Everything can be spoofed
All your KPIs for decision making are compromised
Fraud prevention: Not only are math filters tricked…
As well as using FPS, you should look at data: too good to be true? it probably is.
BUT: You don’t know what “too good” is anymore
if your sample from the early days in your app is contaminated
[3] Even if you send attribution data from your own BI, the connection between app and BI will be frauded
[4] AI-driven blockchain machine learning crypto dynamic logic neutron server-side solution sponsored by Tesla?
[2] Have a ‘secret’ that the beginning and the end know but not the middle
[4] “You guys know ROI, well so do spoofers”
This is what banks do
Any sdk for which there is a financial benefit to spoof… is at risk
For each of those, ask them what they’re doing about it…
Consider dumping any which claim they’re spoof-proof
For adjust you need to talk to me and Andreas
If you’re doing S2S you need to build a cryptographic signature