Why Apple’s SKAdNetwork Could Spur Ad Fraud In IOS 14

Will Apple's SKAdNetwork make app marketing in iOS 14 more or less susceptible to fraud. The answer is yes, no and depends on the type of fraud.

SKAdNetwork is Apple’s homegrown solution for attribution.

Apple itself verifies when clicks lead to installs and shares that information directly with ad networks through an encrypted postback and without the need to pass an IDFA.

That should make app marketing in iOS 14 pretty much impervious to fraud … right? Well, yes and no.

It depends on what type of ad fraud you’re talking about, said David Gregson, a product manager at MoPub.

While SKAdNetwork is likely to help cut down on click and view-through attribution fraud, Gregson said, it could make mobile ad fraud trickier to track while also making it easier for bad actors to disguise fake traffic.

Although iOS overall is considered less susceptible to chicanery than the open-source Android operating system, the Apple ecosystem is still vulnerable to fake traffic, bogus clicks, non-visible ads and other common forms of ad fraud.

First, the good news …

With SKAdNetwork, the App Store becomes the mediation layer between the publisher and the advertiser. In order to keep the data flow anonymous, the notification about an install is sent via the App Store without any personally identifiable information appended.

In order to prevent fraud, a cryptographic signature is added to conversion postbacks that third parties can validate using a public key supplied by Apple. Mobile measurement providers (MMPs), such as Branch and Singular, are trying to position themselves as one-stop-shops to verify and aggregate Apple postbacks.

With this setup, claiming credit for fake ads and fake clicks gets much harder. In classic attribution fraud, a bad actor could simply tell an MMP that a user clicked and get credit even if there was no click at all.

“But a click only gets submitted to SKAdNetwork if a user actually sees an App Store view open up on the screen,” Gregson said. “That will make it more difficult to submit fake clicks in iOS than it used to be.’

… and then the not-so-good news

But a number of possible side effects of the way SKAdNetwork functions – and of Apple’s IDFA opt-in requirement for iOS 14 – could open the door to bad acting.

Although the value chain on iOS will be more secure, that will only provide a “perceived notion” that iOS advertising is less penetrable to fraud, said Maor Sadra, CEO and co-founder of incrementality startup INCRMNTAL.

Because SKAdNetwork only sends aggregated campaign data to advertisers, attribution becomes a form of guesswork. There’s lots of wiggle room there.

“Fraudsters are having wild raves and sharpening their knives right now,” Sadra said.

Eliminating online identifiers, such as the IDFA, for example, makes it easier for fraud to masquerade as human traffic, said Luke Taylor, founder and COO of ad fraud protection vendor TrafficGuard.

Fraudsters will often simulate traffic as having opted into Limit Ad Tracking (LAT) as a way to obscure its origin, Taylor said. When users enable LAT, Apple returns a series of zeros rather than an IDFA, which prevents user identification.

Now that many users are unlikely to opt into IDFA tracking in iOS 14 – thereby becoming de facto LAT traffic – Limit Ad Tracking becomes the perfect cover for bad actors looking to hide invalid traffic. They don’t have to bother spoofing the IDFA anymore to send along with their fake iOS traffic.

“All they have to say is that they’re not passing the IDFA, because LAT is enabled,” Taylor said. “It’s a problem that will persist and can’t be easily solved by Apple.”

Or, perhaps, by the anti-fraud vendor community itself.

Although Apple’s user privacy and data use documentation for iOS 14 creates an exception that allows companies to track users without permission for the purposes of fraud detection, fraud prevention and security, the very nature of SKAdNetwork could prove challenging in the fight against fraud.

“In a perfect world without fraud, aggregated data doesn’t muddy the waters, you just do more modeling and it’s fine – but when you begin to think that some of that could be fraud, how do you identify it?” Taylor said. “It becomes easier for fraud to go undetected if it’s just one component of something larger.”

Enjoying this content?

Sign up to be an AdExchanger Member today and get unlimited access to articles like this, plus proprietary data and research, conference discounts, on-demand access to event content, and more!

Join Today!

1 Comment

  1. Allison, you should pick on a report by company named snyk which just uncovered a sophisticated ad fraud on iOS13 and on which on IOS14 would allow a malicious party to switch a legitimate signed click with forged one without any notice by Apple. Actually raise a serious concern as if this type of fraud which uses swizzling may be replicated by malicious party only this time without any 3rd party that can validate the data.

    Reply

Add a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>