Continuing from our posts on SDK spoofing and click injection and flooding, the final round of our in-app fraud series will focus on bundle ID spoofing. To put it simply — bundle ID spoofing is the app-equivalent of domain spoofing. It’s when bad actors misrepresent opportunities to seem like they’ll be appearing somewhere other than where the ad call originated.
While the exact mechanics and execution behind bundle ID spoofing may vary in complexity, the gist is simple: Prior to sending the ad call to a monetization platform, e.g. an SSP or ad exchange, the fraudster swaps out parameters, such as the app name, to make it seem as though the ad will be displayed elsewhere.
This causes the monetization platform and the ensuing buyer to believe the ad will play on a more well-known app than where the initial call originated.
As such, it’s unsurprising that bundle ID spoofing hurts the entire supply chain — except the fraudster. As Nick Frizzell, vice president of brand safety at SpotX puts it, “at the end of the day, app spoofing both undercuts legitimate app developers as their applications are used as the storefront to siphon ad revenue to bad actors and undermines buyers as their messaging either appears within less desirable content or never has the opportunity to be seen by a real set of eyeballs.”
Fighting bundle ID spoofing
By creating a verifiable list of partners authorized to monetize inventory, bundle ID spoofing is the exact sort of issue that app-ads.txt helps resolve. Now that the final version of the app-ads.txt spec has been released, if you’re a media owner, we recommend adopting it as soon as possible. For buyers working with media owners who have yet to implement app-ads.txt, we suggest buying direct traffic as much as possible or having conversations with partners to understand which supply sources they work with and ensuring you’re only buying from authorized sources. By implementing app-ads.txt files, media owners regain control over who has the power to sell their inventory, which will result in higher revenue and drastically reduces the chances of bad actors trying to represent your inventory without authority to do so.
This article was written by Albert Wang, product marketing manager at SpotX