Advertising & Brand

The Scary Truth About SDK Spoofing And How To Watch Your Back Against Ad Fraud

43 min read

When marketers detect one kind of mobile ad fraud attack, the success is short-lived as smart fraudsters are sure to pivot to another. SDK Spoofing, a form of ad fraud where fraudsters are generating installs that look like the real deal, is perhaps the most frightening type of ad fraud because it is both incredibly elusive and expensive. Our host Peggy Anne Salz catches up with Michael Paxman, Product Research Manager for Europe and Japan at Adjust, a global leading measurement company providing analytics, measurement and fraud prevention solutions for mobile app marketers worldwide, to discuss the scary truth about SDK spoofing. Mike explains why marketers can’t hope to put an end to SDK spoofing—ever. But marketers can beat fraudsters with an approach that makes sure their crime doesn’t pay. Mike also discusses a new update to the company’s free benchmarking tool that marketers can use to compare their apps against the rest and check if their own performance metrics are on the mark or missing targets by a mile.

Transcript

Hello and welcome to Mobile Presence.  I’m your host, Peggy Anne Salz, with Mobile Groove, where I plan, produce and promote content that allows my clients to reach performance goals and scale growth.  It’s all about growth here and we’ve been having some sessions, you know, and some episodes where we deep dive into things like growth hacking and what you need to know but of course, you know, we can also be a little light but also a bit serious.  We’re going to do both today, actually, because we just put Halloween behind us, there’s still an eerie afterglow, a few days after, and it’s a perfect fit with a very scary topic that our guest spoke about at a recent conference that I was attended.  I was so impressed, I brought him back here on the show.

So, Michael Paxman, Product Research Manager at Adjust.  Welcome to Mobile Presence, Mike.

Thank you, Peggy, thank you for having me.

So, as I said, I was impressed, it scared me and I don’t even have an app so you can imagine what it’s going to be for our audience today.  So, it’s all about SDK spoofing.  First of all, just an educational crash course here – what is it?

So, all of mobile advertising, all of the tracking and analytics that our clients do and mobile marketers do is based on the concept that the data coming from the device from the app is legitimate.  And you hear all these other types of fraud, click spam, click injection, whatever it might be, and these all attack various methods for counting that data up.

But SDK spoofing attacks the concept of getting that data in the first place and without going too technical, essentially what spoofers do is they set up there – you could do it with a MacBook – to send data requests that are identical to real installs to attribution providers like Adjust.  And unfortunately with the way data transmission works, at some point the data has to leave the device to head to the server and if you grab what that looks like when it leaves the device and you duplicate it, we have no way of knowing if that really came from a device or if it came from a laptop.

So, I’m speechless right now, Mike, because I’m really getting it.  So basically anyone with a laptop, anyone with a Mac, anybody anywhere in the world can be more or less duplicating, emulating, this data and what does it look like to the marketer and what’s the impact there?  I guess, it just looks like, hey, another install?

Exactly.  If you are doing – and it’s not just mobile attribution, if you’re getting data from your app for anything and you’re being spoofed and you have no protection, you would actually never know if they’re doing their job right, if the spoofers have done their homework and have sort of cracked the code, if you will, it doesn’t matter what you do, at the end of the day – it’s an unsecured device, you don’t own that device, you don’t actually know if the data is coming out of an iPhone or a MacBook.

And it’s extremely easy to get a hold of a 100,000 real device IDs, you can buy them online, you could put a free app on the App Store, free game and just farm them off there, it doesn’t really matter – that allows anyone with a laptop and an internet connection potentially to generate 100,000 installs from device IDs that are real and trick an attribution provider, a network, a third-party SDK, whatever it may be, third-party provider, into believing it’s legitimate.

And if they do it right, because of the way data transmission works, there is literally no way to know if it happened.  So, yes, I saved this from Halloween just for you.

I can see it.  So, I mean, it’s the same with all fraud, we’ve had other shows about fraud here on Mobile Presence – you can’t stop it, they’re too smart, they’re learning while we’re speaking right now, Mike, so there is no way to sort of say “Oh, I’m going to stop this”, but there is a way to detect it, protect – I mean, what are you proposing given that it’s so simple to be duped?  What can app marketers do?

Yes, so the first thing to understand is that it cannot be solved, you cannot prevent spoofing unless your users drive up to your office and use your app exclusively in front of you, you’ll never know.  What we do and what financial apps do and apps that must be secure, what they do is they do something called – they use something called a signature and a signature is essentially when your device sends some data to someone, it has to sign it with a signature, like a letter and any data coming in that doesn’t have that signature is rejected because we know it’s fraudulent.

Now, the problem is, and I’m sure some of your listeners have already spotted this, this can, of course, be scoofed.  If it’s just a string of characters, like letters and numbers, it’ll be spoofed in 30 seconds.  So what we need to do and what we have done is we have created a cryptographic signature – that means that those letters and numbers that the data needs to be signed with, the string of letters and numbers is the solution to a cryptographic formula and this means that if you want to spoof us now, Adjust’s SDK, you need to do extra steps.  One is you would need to hire a securities expert, someone who knows how to crack apps and those guys are probably a little bit too busy working for the Pentagon/they’re going to ask you for a 6 figure salary.  So that has kind of increased the cost of the spoof.

But more importantly, even if you figure out the process to crack it, it’s not, you know, it’s not a couple hundred numbers being added together, it is a mathematical problem that would require computer power to solve every single time.  And that means let’s say a spoofer is trying to steal a CPI worth $5, what they will end up with is $5.  If the programmatic cost to solve the signature, however, they do it, an AWS instance or something like this, costs them $6, they will not spoof you.  Now it is an arms race and there’s no, you know, there are probably some people out there who say “Well, this isn’t a flawless solution”.  It isn’t a flawless solution but our plan and the plan that, you know, I’m very certain that companies like Facebook and Twitter would use for their data security is to make it so expensive to spoof us that it’s not worth doing at scale.

Now, I hope there are no security hackers in your audience but there may be.  If you were to spoof our SDK and hack it once, we don’t claim to be, you know, sort of reinventing the wheel – we’re not working in the Pentagon.  We have made it so that spoofers in mobile attribution, the guys who are click spamming and doing all these other terrible things, we’re just pricing them out, we’re just pricing them out.  And every single time we update the signature, which, for us, is actually not that hard to do, but every single time we update it, all their homework goes in the garbage and they start all over again, and the price goes up – the price, the process, the solution.

So, it’s a sort of – I would say, if you have your engineers listening, I would say get used to updating your app more frequently, but you are protecting the core concept of mobile marketing and ultimately, at the end of the day, there’s one number that fraudsters care about more than anything and it’s profit, like everybody else.  They’re kind of businessmen, like you and I, just with slightly different methods and if it’s too expensive to do, they won’t do it.

Makes perfect sense, Mike, because as we pointed out, it doesn’t stop.  They get smarter, it just keeps going.  I’m a member of the Mobile Marketing Association, I’ve been reading the A&A numbers – these are huge numbers for all different types of fraud and in this particular case, it just makes sense to say OK, we can’t stop it but we can out-price it, we can make it unattractive to do this in the first place.

Right, there’s no payout.

There’s absolutely no payout.  I’m just curious as an aside here, this is something we’re probably going to be hearing about a lot more in the future.  I mean…

I hope so.

I hope so too, that we fight it – was 2018 like the year of understanding and being aware of this because I have to say I watched the industry, I hadn’t heard of this before your talk.

It’s a tricky question to answer.  I – just based on the core concept of mobile data being unsecured, I would say I think it’s been around as long as the industry.  What is its impact up to today?  I couldn’t tell you, nobody knows.  The only, what do you want to call it, light at the end of the tunnel I can offer is that the strategy that we are taking on is going to work.  It may be that the current edition isn’t expensive enough, CPIs are on the rise, it only takes 1 cent of profit for it to be viable.  Maybe AWS gets cheaper, we’d have to make it more complex.  It is just because of the nature, if it’s done properly, we don’t know it happened – I can’t estimate when it started, I can’t estimate how big it is but what I can say is that it is – just we, the data that stands out at us is when spoofers get it wrong and the fake data they send us is a little bit off and the amount of that that’s coming in is growing and those are the guys who are worst at it.

It’s a great time to take a break right here, Mike, because I think what we want to do is we want to come back and we’re going to talk a little bit more about what app marketers can do and a little bit more about the alternatives, the impact, the size of what’s going on, keep this scary story going with your help, Mike.  But don’t go away, listeners, we’ll be right back after the break. 

Welcome back to Mobile Presence.  I’m your host, Peggy Anne Salz with Mobile Groove and our guest today, Michael Paxman, Product Research Manager at Adjust.  And Mike, right before the break, we were talking about SDK spoofing, you were giving us the crash course we need but the question might be, the audience is saying “yes, I get this, I buy into this, I understand it – I need to do something”.  What exactly are they going to need to do?  The practical steps of how they equip themselves.

Sure, I didn’t want to leave everybody on a sour note so I do have good news.  I mentioned it a little bit earlier but we have released this cryptographic signature that you plug and play into the Adjust SDK when you integrate it into your app and you can manage it through the dashboard, you can see what’s going on there.  All you really need to do is, if you’re already using Adjust, add it to your app – if you’re not using Adjust and you’re interested, put it in on day one, and that’s it really because once it’s in the app, then we can guarantee that the data coming in either is legitimate or somebody’s spent a lot of money to fake it.

So it really is a plug and play.  What I would also very much encourage people to do is with outside the scope of attribution, or outside the scope of Adjust, if you’re using another attribution provider or whatever, other SDKs you might be using in your app, including your own data transmissions to your own back end maybe for tracking how many crystals a user has in a game or something like this, I would take a look into are those secure?  And frankly, there has been in the past, perhaps due to a lack of knowledge or not enough research in this area, I’ve seen claims that we can’t be spoofed, you know?  We have a method of guaranteeing that the data from the app is legitimate on the server, from all different, you know, verticals within this industry.  This is not true.

You bring it up, Mike, so I’d like to ask you, let’s turn that around.  What happens if someone says “I have an unspoofable SDK”.  Is there such a thing?

So, no.  Unless what they’re referring to is I have a signature that’s super dupa, dupa crazy, then no.  And I would say any partner you’re considering putting in your app should be able to explain to you how they made themselves spoof proof and if the answer is not cryptographic SDK, I would really like to talk to them because they have invented something that is theoretically impossible which would be pretty cool.

No, so just because at the end of the day, the spoofer can control the start of the transmission, the device, and they can control the means of delivery, i.e. through their laptop, there is no way to know from the recipient’s end that the letter is legitimate unless you have this matching signature.  If you put the full responsibility for data realness on one end of the process, there’s no way to know where it came from.

I mean, it makes perfect sense to me but, you know, app marketers, they have to watch their back, they also want to watch their bottom line.  I understand you have another tool, an update to a tool I wanted to hear more about because I’m not quite clear on what it is and what it allows me, as an app marketer to do.  So what can an app marketer do with your benchmarking tool?

Sure.  So I hope everybody is sufficiently terrified and…

Yes, that’s right, we need a little bit of really good news here.

…please reach out to your account managers about this post haste.  So, the app marketing benchmark tool is something we released earlier this year and it is on our website but you don’t have to be an Adjust customer, it doesn’t require any sign-up or anything like this and it is by far the most requested thing from UA managers and sort of marketing strategy teams was “I can see how well my app is doing, I know how well my users retain but I don’t know if this is good in this vertical”.  Right?  Even if you’re way up in the app store top 100, if you have a one-day retention of 5%, that’s probably not good.

But there’s no real easy way to know that – you can pay for datasets, you can pay a lot of money for datasets, and we’re in a quite advantageous position that we track of 7,000 apps, more than 4 billion installs in just the last year alone, or this year I think it is, last year, sorry, alone, and we’re able to present that data obviously anonymously, we’re not going to reveal any particular app’s results, but we’ve taken all of that private information out of there and we’ve bundled it all together and then we’ve produced this benchmarking tool that, from a browser, lets you slice and dice this data and understand how you’re performing relative to other app marketers.  It also, if you’re looking to move into a new market, you might be able to see okay, I can expect this kind of retention, things like this, iOS versus Android, organic versus paid acquisition, things like this, and you can just mix and match those all together, slice and dice the data and sort of create benchmarks that make sense for you.

I like this idea because we always say that business intelligence is like your daily dose.  You have to watch the data, eat the data for breakfast, as one of our guests once said, every single day.  Now that means taking a look at a lot of different sources of information out there – benchmarks are really important.  How would I understand this connection with, say, for example, the app market data I might get from someone like a, I don’t know, a Sensor Tower, App Annie, all the other companies out there?  I imagine this is one of those complements to the equation, correct?

I mean, you can’t really have too many insights and sometimes you will see benchmarks maybe not lining up with that but that usually means one of two things.  You’ve either innovated and outperformed the market or you may not be targeting the right people, you may not be looking in the right regions, perhaps you’re buying your CPIs way too cheap, things like this.

It really – so, it’s not per app, right, if you want per app data you’re going to have to log into Adjust or use another attribution provider and so on.  What we’re doing is we’re showing down to a quite granular level what is the retention rate in this vertical overall?  What percentage of installs are rejected as fraudulent?  What’s the average CPI?  How many user sessions can you anticipate, things like this?

It’s my experience talking with clients, it’s about 50/50, about half of our clients say yes, these numbers are more or less like ours, we’re a pretty standard app in this vertical and the other 50 sent us terrified emails saying we are massively under or over performing.  Which I think both are good news in different ways.

It’s always that same way, Mike, it’s always somewhere in the middle.  I used to be, a long time ago, I used to be a telecom analyst and it would just be like “Let’s see what Forrester says and we’ll just be in that range”.  Not saying this is what’s happening with your tool but it’s always good to know sort of the range, being specific, that would be something even too amazing, what analyst out there or anything for that matter is so specific.  What I want to get specific about is how do I get hold of the tool?  Is it just something I do online, can I do it for free, how do I actually access this because our audience would love to access it if it’s out there.

I would like to welcome your audience to sort of go along with me right now if that’s alright?

OK, where is it?

So, you go to app-benchmarks.adjust.com and when you enter that website, a website full of beautiful gradients will await you, and right across the top, just under the title, is the date setting.  Now, at the moment, the data we have is from 1st January to 31st March this year – we are currently expanding this dataset, so keep an eye open because eventually, that will become much, much bigger.  I haven’t got the final details on the dates but I believe it’s going to be over a year’s worth of past data – don’t hold me on that one but that’s what we’re aiming for.

But more importantly, just below that are four KPIs, or four rules you can set for your filtering.  App Category which uses the verticals from the app stores so entertainment and news, travel, gaming, social etc.  Region, split up into continents, Europe, North America, Latin America, Asia Pacific and Africa and the Middle East.  And then Acquisition Type – organic or paid, and finally Platform – iOS or Android.  You can choose a specific for each one of those or you can have all of each one, whatever suits.  And that’s it, and once you’ve done that, you just scroll down, you’ll see your retention rate, you see a graph but also day 1, 7, 14 and 28 retention rate.  Rejected fraudulent install rate, cost per CPI, sessions per user and events per user.

And that’s it, and then you can just do whatever you want with that data, it is yours, you know, play around with it, change it every day, see how your app would look in different regions, things like this, and it will update in real-time.

Yes, and use that to have a data-driven marketing strategy because that’s certainly what it’s all about.  And, Mike, I understand from listening to you, it’s free.  I just go there, I just do it.

It is free, you can do it right now – we essentially, we didn’t feel like having people sign up for this was fair, to be honest, because it’s anonymous data, and there’s not enough out there, and if, you know, I’m probably going to make some enemies here but if this saves a couple of app marketers from spending $10,000 on a dataset, that’s good for everybody, right?

That’s good for us, that’s definitely good for us.  That’s definitely good news, free is always the magic word even here at Mobile Presence.  So, Mike, we have to go to a break right now but when we get back, we will be talking about some other new projects over at Adjust and also maybe just a little bit of a peek into what you think are the top trends of 2019 as move into that direction.  So, listeners, don’t go away, we’ll be right back.

And we are back at Mobile Presence.  I’m Peggy Anne Salz with Mobile Groove and we have today Michael Paxman, Product Research Manager from Adjust.  And Mike, right before the break, we were deep diving into, well, a couple of tools that you have over at Adjust and we’ll be also talking about those more in the show notes where people can access, for example, the benchmarking tool.  But something else going on over at Adjust that I’d like to have an update on because I guess our audience would also like to know how to be a part of it.  You have a bit of a special community.  What is it?

Yes, so it’s called The Adjust Think Tank and it’s a research project that we launched with our sort of best and brightest clients from all over the world and it comes in two parts.  One is the think tank events where we gather sort of ten to fifteen, sometimes a smaller group, of leading mobile marketers and we sit down and we try to crack a new concept that mobile marketing needs.  Even in 2018, going into 2019, this industry still – it’s very young and a lot of the maturity of web tracking hasn’t come over and in some cases for very good technological reasons.  And we like to sit down and over some beverages, alcoholic or otherwise, and really break down what do people want to see in their dataset, what do they want to see on our dashboard, what functionality should we build next?

And probably the most, certainly for European listeners, the most relevant one we’ve done recently is GDPR handling, which is extremely touchy.  The way that we displayed the information about that, the language that we used but also the technological approach we took was based on research findings from the think tank community…

Which is super important by the way, because if you think about it, it’s app marketers who are in the think tank community, so, therefore, they do this, this is their daily job and they can contribute a lot to the community on different topics.  How does one become part of the community so they can contribute in the first place?

Well, we’re always looking for people to join and if you have some interesting ideas or you have a unique outlook on the app industry, dead keen to hear from you.  I actually think the quickest way would just be to drop me an email, maybe my email address could appear somewhere around…

Yes, absolutely, I’m going to be asking you about that in just a second, Mike, so keep that thought.  In the meantime, it’s about sort of like app marketer ninjas, jedi, that sort of thing, they want to contribute, they know a lot about their industry, they can get in touch with you.  Speaking about the industry, I just want to leave on the thought that I’m asking all of our guests from here on in because we’re closing out the year, what is on the radar for you?  What are you the most excited about when you look into 2019?

For us, for Adjust, it’s got to be the second part of the think tank which is the platform, it’s an exclusive community platform, we write things about app marketing that we couldn’t write on our public blog and it’s a great sort of place to really get into it.  In terms of the industry as a whole, there was a speech at Mobile Spree San Francisco by – there’s no way I pronounce this correctly, I think it’s Jacques Frisch, let’s go with that.  He did a speech about budgeting automation and the concept of having a computer inside your company that takes all the incoming data from attribution companies, all the incoming data from your network partners and the app itself, and then makes more intelligent bids which a lot of networks already offer.

I’m starting to see a shift where app marketers want to do this themselves and I think if it’s done well, and it’s taken on for a big scale, but bidding itself is going to become more competitive, you’re going to have to sink or swim, you’re going to have to hop on board and automate your bids because it’s going to be like the stock market and you’re going to have to bid within a quarter of a millisecond and so on.

So, I expect maybe I’m thinking a little bit too far ahead here but I expect more bloodthirsty competition, shall we say, in-app marketing?

I’m hearing the same thing, Mike, I’m hearing that it’s all about using AI to speed things up to make things smarter, to take out the heavy lifting in bidding so I’m absolutely with you on that point.  And just a point, listeners, the benchmarking tool we mentioned before, you can look for it at app-benchmarks.adjust.com and, Mike, how can our listeners stay up to date with you and what’s going on with you personally, maybe on your blog or at Adjust or they wanted to really reach out and say “Hey, make me part of the think tank” – how can they get in touch with you?

If you want to read some very soft and friendly updates about Adjust, we have blog.adjust.com.  If you’re more interested in hearing my hot takes, LinkedIn, Michael Paxman is the best way to reach me, or you can drop me an email at michael@adjust.com.

Michael@adjust.com.  And we will have those in the show notes and links as well.  And listeners, if you want to keep up with me throughout the week or find out more about how you can be a guest or sponsor on Mobile Presence, then you can email me, peggy@mobilegroove.com, Mobile Groove is also where you can find my portfolio of content marketing and app marketing services. 

And that, my friends, is a wrap of yet another episode of Mobile Presence.  Check out this and all earlier episodes of our show by going to webmasterradio.fm or you can find our shows on iTunes, Stitcher, Spreaker and iheartRadio simply by searching Mobile Presence.  So until next time remember, every minute is mobile, so make every minute count.  We’ll see you soon.