Software development kit (SDK) spoofing is a form of sophisticated invalid traffic that is particularly nefarious because it’s notoriously difficult to detect. It involves a bad actor figuring out how various app SDKs transmit install and attribution data and signaling that a device has successfully installed an app when, in reality, no such thing has happened. This sort of fraud is especially lucrative if there’s a cost per install incentive associated with that app.
Before we dive further into SDK spoofing, let’s quickly expand on SDKs. A lot of apps use third-party SDKs — typically for advertising or analytics purposes. For the purposes of this post we’ll be primarily speaking in reference to attribution SDKs which allow users to identify when an app has been installed and who to credit for the installation via event data like clicks.
How SDK spoofing works:
- Fraudsters use a man-in-the-middle attack to insert themselves between an SDK and the endpoint it intends to reach out to.
- They then continuously hit that endpoint with a series of test calls to reverse engineer what calls represent a successful action.
- Over time, they identify what parameters being passed indicate a successful install.
- Once they successfully “install” an app, they rinse and repeat with real devices.
The real devices part is the particularly insidious bit about all this. The installs may be fake, but the devices are not. Without proper protections in place, an SDK spoofer could theoretically just buy a batch of device IDs and continue to generate install events, cashing in each time. Since those device IDs are tied to real people, from the outside looking in, those installs look completely legitimate.
That’s not all, SDK spoofers have gotten more sophisticated over time. Instead of just plugging in a list of device IDs, some spoofers actually write their own apps or get another app writer to install the spoofer’s SDK. This adds another layer of complexity because while these apps are harvesting data for fraudulent ends, spoofer apps or their SDKs may serve totally functional purposes. As such, once spoofers have the device data in their hands, when they spoof an install, it becomes increasingly difficult to separate fraudulent installs from real ones because to the attribution SDK, everything still looks totally above board.
To that end, while solving SDK spoofing remains tricky, mobile measurement partners have created solutions like Adjust Signature and AppsFlyer Protect360. We strongly invite you to consider working with partners with a focus on brand safety and protecting you from fraud of all types. Of course, the best form of protection is to stay informed and pay attention. As the old adage goes — if it seems too good to be true, it probably is.
This article was written by Albert Wang, product marketing manager at SpotX.