The potential risk for fraud with IOS 14 and SKADNetwork

The mobile marketing environment underwent a realignment process when Apple released iOS 14 in April 2021. This event triggered the process. All of a sudden, a lot of essential components were either eliminated entirely or severely constrained. The iOS landscape was significantly altered with the introduction of SKAdNetwork (SKAN) and its method for converting data, as well as by the constraints placed on user IDs and the various measurement time periods.

In a sector that is used to seeing a healthy dose of change regularly, the majority of significant stakeholders were fast to react and adapt to the new reality.

According to AppsFlyer, some companies decided to shift their attention away from iOS and reallocate their marketing budgets, which resulted in a decrease of 25% in iOS budgets. Other companies, on the other hand, made the decision to take an innovative approach and modify their working practises to accommodate the new reality.

IOS attribution measurement options

There are three different kinds of attribution frameworks for iOS that are available for use by marketers:

• SKAN only
  
  Mobile app marketing attribution that completely depends on SKAN measurement.



• MMP only
  
  Attribution may be accomplished in one of two ways: either by matching user IDs for consented users (people who have permitted businesses to disclose their IDFA) or by applying probabilistic modeling to all users.



• Hybrid
  
  The next form of attribution, called hybrid attribution, will be determined using a mixture of the first two categories. In this hypothetical situation, network operators keep delivering engagement data to their MMP despite the fact that SKAN activity is taking place.
  
  For instance, when a publisher reports to SKAN that a particular user has engaged with an advertisement, an impression URL is also supplied to the MMP.
  
  The hybrid approach provides marketers and media partners with the advantage of accessing many of the capabilities for measurement, while also matching Apple's criteria for customer privacy. Having said that, it does raise the problem of having duplicate measurement data.

Possible attribution fraud scenarios in SKAdNetwork

The aforementioned procedures are intended to verify the legitimacy of the postback, but they do not consider the authenticity of the user's activity (impression or click).

Is it possible to get around these mechanisms? And is it possible for dishonest people to devise inventive methods to get past these restrictions while remaining undetected?

To respond to the aforementioned question, let's examine the many types of attribution fraud that might occur in SKAdNetwork:

• To manipulate a postback in such a way that it does not reach the advertiser
  
  The signature and transaction ID that were discussed before are designed to deal with situations like these. However, it is possible to get around both the signature and the transaction ID. For instance, the conversion value is not included in the signature, and the transaction ID may be reused several times (provided that the other party does not maintain all of the past transaction IDs indefinitely). Sending the postback to the advertiser, who is the rightful owner of it, is the only viable solution to this problem.



• Manipulating Apple into making an incorrect attribution judgement at the device level
  
  Only the source app and campaign ID are sent by the SKAdNetwork attribution protocol, therefore the data it gives for measurement or improvement is quite restricted. Indications of the amount of time spent interacting with the device are also unavailable. These are essential for determining the lengths of time that pass between important activities, namely click time and installation time.
  
  Without these signs, it is impossible to establish regular user behavioural patterns, which are exceedingly difficult to imitate at scale with bots. This eliminates any indication that anomalous behaviour may be occurring.

What are the measurement challenges of SKAdNetwork?

From the point of view of an advertiser, SKAdNetwork does provide a number of different practical obstacles. They are used to acquiring information from attribution service providers. Other restrictions that apply to SKAdNetwork include the following:

• Granularity that is limited
  
  Data is only displayed on a campaign-by-campaign basis, and each app is restricted to a maximum of 100 online campaigns. On iOS, the previous method of mobile attribution offered a high level of granularity. Their IDFA was completely accessible to publishers, advertisers, and all levels and layers of the ad technology stack until someone switched on restricting ad tracking. You were provided with information on ad views, clicks, and installations, as well as post-installation activities and conversions.



• Personal Click Counting and Analysis
  
  There is no direct connection between impressions and clicks and events and postbacks in SKAdNetwork. When utilising the MMP SDKs to do measurements in an anonymous manner, all installations and events will be interpreted as regular traffic. There is just no way to put this information into perspective. When the SKAdNetwork figures are finally made public, changes will be required. It should come as no surprise that monitoring data on dashboards is not a simple process.



• Retargeting
  
  In iOS 13 and earlier versions of IDFA, you had the ability to retarget customers who had previously used your app or those who had your app loaded but did not use it. You'll be able to target advertisements and offers at them using their IDFA, which will hopefully encourage them to come back, reinstall the app, or renew their membership.



• Fraud
  
  Data is easier to alter, which may increase the likelihood of fraudulent activity with advertisements. In addition to the functional issues, there are also some structural issues that occur here. Because postbacks are only transmitted to the designated advertising network, advertisers and anybody else who processes data on their behalf are not aware that this is happening.
  
  It is becoming increasingly obvious that a privacy-focused approach to advertising is the way of the future. Furthermore, it is becoming increasingly clear that the most promising approach to advertising in iOS is to implement SKAN in order to comply with Apple's ATT guidelines. This is because consumer awareness of data processing practises and support for data protection is growing at an alarming rate.

How is this affected by Apple’s recent view-through addition?

The most recent feature that Apple has made to the SK protocol is view-through, which may make flooding even less difficult. In theory, Apple can verify a click-through flow by reviewing the whole of the flow (click > App Store > Install).

However, since view-through attribution removes the need for a click-in-the-flow validation process, it is impossible for this to take place. Anyone can, in theory, assert that they delivered impressions in the hopes that instals will be attributed to them.

Using the device database access described earlier to insert false impression reports is a method that makes taking advantage of view-through attribution even easier. This method ensures that the publisher is the one who always provides the final impression by ensuring that the publisher is the one who has access to the database.

While the pop-up on the App Store website is trying to convince users to really download the app, the other manipulations are just trying to take credit for natural downloads that have nothing to do with any kind of advertisement or app page. In other words, they are trying to steal instals.