Fraud Risks in SKAdNetwork

Ad fraud problem is a widespread but mostly unnoticed issue. According to IAB, $1 in every $3 spent on mobile advertising is wasted on ad fraud. Fraud can be fake installs coming from bots or install farms, or it can be a click fraud to steal attribution of real users from legitimate channels, such as click spamming or click injection.

These methods are all aimed to manipulate attribution metrics of attribution tools because advertisers make the payments based on their numbers. With SKAdNetwork, fraudsters will shift their focus from MMPs to SKAdNetwork because that is where the attribution happens; but the ad fraud problem is still there.

Fraud Scenarios in SKAdNetwork

SKAdNetwork’s postback mechanism is heavily affected by Apple’s privacy concerns. A limited number of datapoints, conversion delay timers, privacy thresholds are all helping protect the user’s privacy. However it also helps fraudsters to hide themselves even better as well. Ad fraud detection tools analyze the traffic to understand if traffic patterns resemble a real-user behavior, but iOS 14.5 removes some of these options.

Apple provides a signature mechanism to authenticate the conversion information and match the conversion with correct ad engagement. This is a useful tool for the networks; however, this signature holds no information about the legitimacy of the clicks or impressions. It is not a protection for advertisers about the ad fraud problem.

Fake Installs

There is nothing stopping a fraudster from buying hundreds of devices and starting clicking the ads and installing the apps, i.e., running an install farm. These clicks would carry the ad signature, and Apple would attribute to the source. Install farms are still as much thread as they were.

By resetting the Apple account ID, it is possible to create multiple fake users on a single device. With a jailbroken device, the system can be automatized, and bots can generate a high volume of conversions without human interference.

Attribution Fraud

Similar to MMPs, Apple’s SKAdNetwork uses the last-click attribution method. As much as this method is effective for marketers to understand which ad engagement causes a user to install the app, it is also creating a vulnerability for click fraud: if the fraudster can generate the last click, they will steal the attribution.

• If a fraudulent app can generate clicks from real devices without the user’s knowledge or intention, they have a chance to get the attribution when the user actually downloads organically, as there is no other click from another paid source.
• If a fraudulent app can inject clicks from real devices, after a real ad click happens, they have a chance to steal the attribution from that source as they are the last click before the install.

Both click fraud scenarios were possible on iOS with MMPs, and they are still as likely to happen with SKAdNetwork.

Spoofing

Advance fraudsters will try hacky methods to spoof fake conversions without actually installing the apps, or maybe even without a real device. So far, this fraud type was known as SDK Spoofing because fraudsters were trying to spoof the attribution SDK of MMPs; by mimicking the information between MMP SDK and the MMP server. Now, they will focus their attention on Apple’s SKAdNetwork.

The SK protocol logs ad engagements and conversion within the device. With jailbroken devices, fraudsters can create a fake app-like environment and record clicks and conversions within the device; fooling iOS into thinking that a real mobile app does the click. With such devices, fraudsters have the ability to manipulate the conversion timer as well, as the device has no time data.

Although we value user’s privacy, we have to admit that Apple is new to the attribution game. SKAdNetwork will get better over time with fewer vulnerabilities, but fraudsters will add more years of experience on the current ad fraud problems as well. Advertisers should continue to work with an ad fraud detection tool to protect themselves while focusing on preventive methods and independence like Interceptd.