After finishing the MITM attack, fraudsters would then generate a series of test installs for an app they are looking to defraud. Since they can read the URLs in clear text format for all of the server side connections, they can learn which URL calls represent true actions in the app, such as first open, repeated opens, and even alternative in app events like purchases, levels up or the rest being tracked. They also analysis which parts of these URLs are static and which are dynamic, keeping the static parts such things as shared secrets, event tokens, etc and experimenting with the dynamic parts, which come with such things as advertising identifiers or other data precise to the device and the certain circumstances. We’ve been fighting fraud for a while.
We know that fraudsters are always improving their own methods with every filter we free up, so in parallel to our hotfixes we were operating hard on an extended term solution, one which would thwart any additional attempts to deceive and defraud customers more on this below. Just as we expected, the fraudsters at last did decide why their fake calls were blocked and they did indeed step up their game. After a couple of these cycles, we lost the advantage of being able to determine the faulty site visitors through mismatches in traffic data and transported data. We considered a few answers like certificate pinning, or developing a checksum hash for each app and SDK integration. We also evaluated constructing our own encryption method, but all of those ideas fell flat due to the doubtlessly terrible impact to our clients’ apps’ CX/UX and the skills risk to monitoring best in general. For instance, certificate pinning may end up in major obstructions over time as certificates become old or deprecated for numerous purposes e.
g. Comodo’s safety breach of 2011. As a variety of apps stop receiving updates after a period of time and often whole advancement teams get reassigned or disbanded, the chance is that certificates turns into old and that tracking will stop completely for these apps. Another attention here was that pinning certificates would disable all common trying out suites that clients and networks use for monitoring tests. Finally, the buyer during this case the mobile device can decide not use the pinned certificate, so while certificate pinning is a good way to secure a consumer server conversation from a MITM attack, we desperate it was not adequate to secure a server from a antagonistic client.
In the top, we determined to create a signature hash to sign SDK communication programs. This method guarantees that replay attacks do not work, as we introduced a new dynamic parameter to the URL which can’t be guessed or stolen and is barely ever used once. In order to obtain a fairly secure hash and an equally low cost user adventure for our consumers, we opted for an additional shared secret, which might be generated in the dashboard for every app the customer wants to secure. Marketers even have the opportunity to renew secrets and use different ones for various version releases in their app. This permits them to deprecate signature versions through the years, making sure that attribution is in accordance with the highest safety usual for the newest releases and the older releases can be removed from attribution fully.