Software development kit (SDK) spoofing is a form of sophisticated invalid traffic that is particularly nefarious because it’s notoriously difficult to detect. It involves a bad actor figuring out how various app SDKs transmit install and attribution data. It then uses that information to signal that a device has successfully installed an app when, in reality, no such thing has happened. This sort of fraud is especially lucrative if there’s a cost per install incentive associated with that app.
Before we dive further into SDK spoofing, let’s quickly expand on SDKs. A lot of apps use third-party SDKs — typically for advertising or analytics purposes. For the purposes of this post, we’ll be primarily speaking in reference to attribution SDKs which allow users to identify when an app has been installed and who to credit for the installation via event data like clicks.
How SDK spoofing works:
- Fraudsters use a man-in-the-middle attack to insert themselves between an SDK and the endpoint it intends to reach out to.
- They then continuously hit that endpoint with a series of test calls to reverse engineer what calls represent a successful action.
- Over time, they identify what parameters are being passed to indicate a successful install.
- Once they successfully “install” an app, they rinse and repeat with real devices.
The real devices part is the particularly insidious bit about all this. The installs may be fake, but the devices are not. Without proper protections in place, an SDK spoofer could theoretically buy a batch of device IDs and continue to generate install events, cashing in each time. Since those device IDs are tied to real people, from the outside looking in, those installs look completely legitimate.
That’s not all, SDK spoofers have become more sophisticated over time. Instead of just plugging in a list of device IDs, some spoofers actually write their own apps or get another app writer to install the spoofer’s SDK. This adds another layer of complexity because these apps and SDKs may have totally functional uses for users and app developers beyond harvesting data for the bad actor. As such, once spoofers have the device data in their hands, when they spoof an install, it becomes increasingly difficult to separate fraudulent installs from real ones because to the attribution SDK, everything still looks totally above board.
To that end, while solving SDK spoofing remains tricky, mobile measurement partners have created solutions like Adjust Signature and AppsFlyer Protect360. We encourage you to consider working with partners that focus on brand safety and protect you from fraud of all types. Of course, the best form of protection is to stay informed and think critically about signs of potential fraud. As the old adage goes — if it seems too good to be true, it probably is.
This article was written by Albert Wang, product marketing manager at SpotX.