3 sources of SKAdNetwork fraud advertisers need to prep for

What does fraud look like in iOS14, with SKAdNetwork? Is it even possible, given the fact that Apple is cryptographically signing app installs?

Smart mobile marketers are using the time between now and early 2021, when Apple will fully implement all of iOS 14’s privacy features, to test out SKAdNetwork. The goal: getting your IDFA-less marketing optimization capability as good as or better than your standard iOS 13-style attribution analytics.

But what about fraud?

Do you need to worry about fraud in iOS 14 when SKAdNetwork is fully operational?

The short answer is … absolutely. The longer answer is that there are at least three different ways fraudsters could fake conversions, mess up attributions, waste your money, and trash your data. We dive in to all three of them in this edition of Growth Masterminds, with Singular’s head of fraud prevention efforts, Yonatan Komornik.

John Koetsier: Briefly, what are the three potential problems?

Yonatan Komornik: So SKAdNetwork 2.0 includes the cryptographic signature that enables validation of the data and basically prevents fraudulent actors from forging or faking SKAdNetwork notifications, but there are still some problems.

First and foremost, the post-install conversion values are not included in that signed data. On top of that, country and geolocation isn’t encoded in there. And finally, just validating the signature isn’t as straightforward as you might think.

Koetsier: Let’s go into each of those challenges, starting with post-install conversions.

We’re talking about somebody who’s installed an app and they’ve maybe purchased something, they’ve engaged, they’ve completed a level, whatever. What’s the challenge here?

Komornik: Let’s take a step back. SKAdNetwork 2.0 includes a six bit value, which is called the conversion value.

And that value can be updated by the advertiser app to reflect the value of the user incoming from the specific ad network or specific campaign. And that’s embedded into the SKAdNetwork notification. So you can get a notification saying an install coming from this ad network in this campaign, and even from a specific publisher, got in a user with a score of 100, for example.

And those scores could be what advertisers basically optimize to. So the higher the score, the better the user, for example.

Now this specific conversion value is not signed in the SKAdNetwork notification, which means that, even if they are changed, the authentication of the SKAdNetwork postback would still go through. It’s still valid. And since SKAdNetwork notifications arrive first at the ad network and only after are being shared with advertisers or MMPs, a fraudulent actor could possibly change those values without anyone knowing.

Koetsier: The second thing you mentioned was country codes, right? Maybe you’re looking for users in the United Kingdom and you get Uzbekistan or something like that. What’s the problem here?

Komornik: So SKAdNetwork notifications are coming from the device itself, which means that the metadata itself incorporates some very unique values that are worth quite a bit to advertisers. Such as geolocation, which can be derived from the IP address.

But since the SKAdNetwork notifications go to the network first, the network could basically report whatever geolocation it wants to report. Again, it’s not a part of the data that’s been signed and validated.

Koetsier: So that’s the post-install conversion values and the country codes. But I think as we were chatting earlier, you also mentioned that validating signatures isn’t enough, right? Somebody could just replay the same postback over and over again.

Is that correct?

Komornik: It is.

So, let’s try to simplify it and maybe give an example. Let’s say that you want to incentivize your kid to do well in exams at school. And you’ve told them that you would give them some sort of prize for each exam that they get an A for. Now, the school doesn’t put any date on those exams. They just stamp them with an A … and you know that your kid can fake that specific stamp. So they would bring you an A-graded test.

And you would obviously be happy. And you would give them whatever prize you promised them.

But then they can basically bring the same test back again. And — let’s be honest — you didn’t really read the first test. Plus, it’s not dated, so you would give them the prize again, and they can repeat it as many times as you want.

So, obviously your memory is not that short, so maybe that wouldn’t specifically work, but maybe they brought you an exam from six months ago or maybe from a year or two back. And they could still use the same exam because the stamp, the A is still an A, it’s still a correctly graded exam. Only it’s not dated … you have no way to know that it’s recent.

And SKAdNetwork is exactly the same.

Apple basically gives the ad network — the student — a notification saying they received an install and it provides you a signature that enables you to validate that.

And as an advertiser, if you wanted to double-check your ad network, you would ask them for the notifications … but that ad network could provide the same notification over and over again. Maybe they would not do it as blatantly … maybe these would just replace those six months later. Or maybe used some old ones to augment their new ones.

And so you have to check every new notification and signature that you get against everything you’ve received in the past.

Koetsier: What about fake traffic, fake users, device farms, or maybe even fake devices simulated in software. Are those still issues as well?

Komornik: So this is a great question.

I think that one thing worth considering is that even when we’re starting to run with SKAdNetwork, it’s not like everything is going to be SKAdNetwork-based. Some advertisers might try to measure their ad networks and channels by doing some incrementality testing or maybe just checking the lift when running a specific campaign.

And those would still be open to the more traditional types of ad fraud.

So, for example, bots and fake installs. Another type of fraud we might run into is incentivized ad campaigns that register against SKAdNetwork endpoints at Apple, but aren’t really driving users … so basically they’re trying to get credit for organic users.

Koetsier: So … what’s the solution? You’ve got Singular SKAN and what you call Secure-SKAN … how do they work?

Komornik: So Singular will validate the signatures of all of the SKAdNetwork notifications for its customers. But as we’ve said, some of this data can be changed and we wouldn’t have a good way of knowing if we just receive the postbacks from the networks. That means that we want to be closer to the source … we want to be closer to the device that sends out the postbacks, because the closer we are to the device, the fewer opportunities there are for networks to change that.

The problem is that SKAdNetwork notifications can only be sent to one destination, which is the network.

So that’s the challenge that we’ve been facing, and I think one of the very innovative solutions that we came up with is to actually use an HTTP 307 redirect … a way for an endpoint, for example an ad network endpoint to tell a device: Actually send that postback to someplace else as well.

Now networks that support that integration can redirect the postbacks that they receive for SKAdNetwork and ask them to be sent to Singular as well? That means that Singular would get the postback directly from the device, without the information being changed along the way.

There are some challenges there as well, and we are working with ad networks and partners to implement that. But we do believe that this solution will provide better security and better trust in SKAdNetwork for advertisers.

Koetsier: When iOS 14 is fully implemented and Apple has fully transitioned the IDFA to being opt-in, do you expect more fraud? Less fraud?

Komornik: So … I’m not an oracle. I can’t predict the future.

You’d expect lower amounts of fraud coming in 202. But still, we do know that fraudsters are very capable and they will look for new ways to abuse and hijack the system. And we need to stay vigilant and we need to find those cases.

Just as an example, about a month ago Snyk.io, a security company, unraveled a new ad install fraud campaign that was supposed to be impossible in iOS. So I wouldn’t say fraud is impossible right now. I would say that it will become significantly tougher and harder to perform.

Koetsier: So what do advertisers need to do to be as safe as possible?

Komornik: Singular is taking care of most of it, but make sure to integrate our latest SDK and make sure to ask your partners to support Secure-SKAN.

Koetsier: And for non-clients?

Komornik: Feel free to pop into our website and ask for a demo. We can walk you through the different features and talk to you in depth about them.

Koetsier: Thank you very much for your time.

Subscribe to Growth Masterminds on the podcasting platform of your choice here.