SDK Spoofing, and open vs. closed-source technology

Paul H. Müller

Aug 7, 2019

SDK spoofing is one of the fastest-growing threats to mobile marketers, and we often get questions about how we can secure our Open-source SDK against it. In this short article, we will cover how Adjust keeps our data secure, and why a closed-source SDK is not harder to spoof than an open-source SDK.

If you don’t know what SDK Spoofing is, you can read a longer explanation.

In short, fraudsters look at the data sent from the app with an attribution SDK in it and the attribution companies’ server to figure out what they need to send to ‘trick’ the attribution company into accepting their fake data.

If done right it allows the attacker to create an unlimited number of real looking users and in-app events, without ever running the actual app on any phone.

Nowadays, fraudsters can get hold of real device IDs, which means their fake data looks identical to real data, unless you are using a cryptographic signature to secure the data sent from the app. Our security specialist Abdullah talks more about the basic idea in his article.

Given that Adjust’s SDK is open source, it’s good to ask how we secure it against people simply reading the code we use to authenticate our requests and just replicating its behavior.

The Adjust SDK is open source because it is our conviction that our clients deserve to know what’s going on in their app. On top of that it allowed us to cooperate with many of our clients to create the markets most stable and crash-free SDK. In fact, there are countless reasons why an attribution SDK should be open source, many of which we touch on in a previous article.

How is Adjust’s SDK secured?

In order to track using Adjust, every client starts out by integrating the Adjust SDK into their app. But to protect our clients from spoofing, we also require clients to download a separate library and plug it into the Adjust SDK. Without this library, the SDK is not secure and we will not accept data from it.

This library creates a cryptographic signature that is attached to every single data request sent from our SDK. It protects against all known attack methods and is continually updated by our team of security specialists. Every single library is different, meaning if one app is attacked, the same attack method will not work on any other app in the world. Furthermore, the library will be updated continuously by our security team, meaning any new attempts to break the security will quickly become ineffective.

The code of the library is randomly generated and then compiled in a special process that means an attacker cannot reverse engineer the library to read the code.

Are other SDKs more or less secure?

Most other attribution SDKs are closed source and do not reveal their function to clients using them, but does that make them more secure?

The answer is no.

During our research into SDK spoofing, we examined the closed-source attribution SDKs in the market to understand how secure they are without a cryptographic signature. Unfortunately, we discovered that in every single case, the function they were using to sign their data requests is extremely easy to extract in human-readable form, making it trivial to defeat.

In fact, for some of the SDKs it took our researchers only minutes to find and crack the signing function - meaning that within moments, the SDK’s protection had been completely removed. This has extremely serious ramifications, because once an attacker does this, they can then use the signature to make their fake data look perfectly real.

In short, an attacker can easily spoof all existing closed-source solutions.

The custom library that clients plug into their SDK does not cover the full function of an attribution SDK, only the set of functions necessary to protect against spoofing. This means we can write, compile and secure it very differently.

While we cannot reveal all of the methods used to secure the library for security purposes, we are happy to connect clients with one of our cybersecurity experts to explain further.

Do not believe that an open-source SDK cannot be secured, and do not believe that a closed-source SDK cannot be spoofed.

Want to get the latest from Adjust?