Why Device Ranking Doesn’t Work For Mobile

Andreas Naumann, fraud specialist at Adjust, argues that device ranking as a way of identifying fraud on a mobile handsets is a flawed concept.

Adjust GC guy andreas-naumannIn the past year, we’ve seen an explosion of discussion around fraud on mobile user acquisition campaigns. That’s a great thing. Whenever you have a gold rush, though, you’ll have pretenders and bandwagon-jumpers too. The most recent of these is the approach to try and prevent fraud via “device ranking” – essentially, blacklisting devices based on metadata and certain events that have been tracked in the past.

Device profiling was very effective on the desktop web for a long time, which is probably where these platforms take their cues from. Device profiling works when you’re looking for, say, credit card fraud. In that scenario, an individual fraudster is typically using a specific device, and you can uniquely identify that device over time.

But mobile is a completely different beast from fraud on the desktop web. Attempting to prevent fraud by profiling or ranking individual mobile devices is not only ineffectual by design, but has a very real danger of undermining the datasets that advertisers rely on to make their day-to-day decisions. If this type of device ranking solution becomes prevalent, many advertisers will find themselves unable to rely on their mobile analytics data.

There are two fundamental ways to defraud an advertiser. You can create spoofed devices, clicks, installs or users with a specialized emulation software and script, running on a server. Or, you can hijack real devices of real users and fake engagement from those users with ad media they haven’t even seen, resulting in the advertiser paying premium CPI for unrelated (and typically organic) installs.

There are really only two types of devices you can profile. On the one hand, there are real devices with real users behind them that are occasionally hijacked by fraudsters. On the other, there are spoofed devices that are as mutable and replaceable to a fraudster as the clothes on their back.

Simulated mobile conversions always happen with a brand new device profile. Every single variable that the app (and thus any analytics SDK) has access to is fully within the control of a fraudster. They can and will decide on a random IDFA or Google Play Advertiser ID, and randomly pick a device type for their fake “conversion”. If they wish to pose as an iPhone 6, they will, and can seamlessly resurface as a Samsung tablet. It’s trivial to change your IDFA as an end user – so why would we ever expect fraudsters to dutifully keep theirs unchanged?

What this means is that whenever a fraudster wants to take the spoofing approach, the device will always have an entirely blank history – like it’s a new phone downloading apps for the first time. We see that up to 10 per cent of all mobile app installs every day come from devices that are brand new to analytics systems. The only device ranking that you can do here is profile the device as “new”. New devices in themselves aren’t suspicious at all, and filtering out activity from brand new devices will result in considering a significant percentage of your real users as unreliable. You can’t profile a device that has never been online in the past, and so you can’t detect spoofed devices on the basis of the profile they self-report.

Then let’s look at the other approach – where fraudsters use real devices to spoof ad media engagement, such as click spamming. In this case, the devices are real, and their conversions are legitimate and organic. The problem is that the conversions have been misattributed to a fraudulent publisher. This has nothing to do with the device at all. The device, the user behind it, and the conversions are still highly valuable data. In order to prevent payouts to the fraudulent ad publisher, and repair the dataset, you need to correct the attribution. Instead, by ranking and rejecting the device, you lose a chunk of conversion data.

Ultimately, the only immutable data that you can trust coming from a mobile SDK is the IP address and the time at which you receive the message. These are the only “true” data points in mobile – everything else can be manipulated by a crafty fraudster.

The bottom line
Device ranking is completely ineffectual at preventing mobile user acquisition fraud, and instead will undermine the dataset with which advertisers make key strategic and spending decisions. By mistrusting real devices, actual conversions are being ignored and misattributed, leading advertisers to underestimate truly high-performing channels. And, since most of the devices implicated in fraud are brand new, advertisers will falsely trust campaigns that have a high degree of fraudulent devices because they fall through the net. Worst day ever? You bet.

But, the main problem with device ranking is that you cant pre-select the potentially fraudulent devices to profile, so you have to profile all users, which is a violation of privacy. You have to create profiles on everybody to then root out devices (users) that are potentially harmful to the environment. So every single user that happens to enjoy an app with this technology in it will have an invisible profile associated permanently to their device, unbeknown to them, that they are incapable of controlling or inspecting.

Advertisers are right to be investigating different ways of preventing fraud from corrupting their datasets. But device ranking is snake oil – it’s an approach designed to catch credit card fraudsters on the desktop web, which won’t be able to foil industry-scale user acquisition fraud on mobile. And in the attempt, many users will see their privacy intruded upon as well.

Andreas Naumann is fraud specialist at Adjust