Device testing in the cloud empowers developers - and ad fraudsters
|Richard Harris in Cloud Services Friday, December 8, 2017|
Cloud technology may be helping developers make their apps air tight, but it's also helping commit ad fraud as well.
We sat down with Jason Lunn, Vice President Software Development at Jun Group, to find out how the cloud has impacted software and digital ad testing at large and to uncover the potential opportunities and threats that exist with the technology.
ADM: How does the cloud impact testing?
Lunn: App testing in the cloud is a powerful tool that can be used to incredible effect. That effect can be positive or negative based on how this tool is used. On the positive side, it has never been easier or more affordable for app developers to do comprehensive testing of the myriad permutations of device configurations. Concurrent execution of tests on a diversity of device types, screen sizes, operating system versions, orientations, and locales increases quality without adding the costs or delays to the release pipeline associated with manually testing those same permutations. The downside is that anyone can sign up for a testing account and use this same scalable infrastructure to run apps that are designed to generate fraudulent ad revenue.
ADM: How are campaigns tested today?
Lunn: Today’s digital ads are highly dynamic and leverage our mobile devices’ hardware capabilities. For every release of our ad-serving SDK, testing includes exercising all of the expected behaviors of a variety of ad unit types. For example, rich media ads are designed to be touched, not just seen. They stretch to fill the endless variations of mobile device screen dimensions and seamlessly transition from portrait to landscape and back again. Pre-loaded VAST placements also require extensive testing to ensure flawless audio and visual playback with zero load time. From a campaign standpoint, testing can involve adding third party verification tags, tracking pixels, and a complex web of measurement technologies. Our product has to be able to support an ever increasing array of technologies - all of which require extensive testing.
ADM: What types of fraud does the cloud enable?
Lunn: The same device farms that allow developers to test their apps can be used to impersonate real users viewing ads. The tests can run on real hardware devices as well as simulators and emulators. This avenue for fraud is possible without the cloud, of course, but the cloud lowers all the upfront costs of acquiring and maintaining devices. The same properties - low cost, massive scale, and device diversity - that make cloud testing attractive to app developers for legitimate testing make it an attractive tool for those attempting to perpetrate ad fraud.
ADM: What could the scale of campaign testing fraud be in terms of dollars, impressions, and overall advertiser cost?
Lunn: Mobile devices in the cloud are operated by programs that never sleep. A single AWS (Amazon Web Service) account can use five devices at a time, and that could translate into 28,800 fifteen-second video views a day per account. Circumventing account limits are no challenge for today’s sophisticated fraudsters. Compared to the effort required to run a 500k botnet designed to commit ad fraud, there is no challenge in creating multiple accounts with all of the cloud testing platforms. If instead of creating 34,000 fake websites, Hyphbot had created 34,000 AWS accounts, they could have generated 979,200,000 fraudulent mobile video views every day - costing advertisers millions of dollars.
ADM: How are industry-leading Ad Tech companies providing transparency and assurance with campaign testing and are vendors communicating this to clients?
Lunn: Amazon, Google, Microsoft, and many other providers deploy massive fleets of devices to power their respective cloud testing services, so a fraudulent actor can command as many devices as they can afford. The good news is that these service providers make their test IP addresses known publicly. It is straightforward to identify where requests for ads originate and to compare them to these lists. In a nutshell, publishers, vendors, and advertisers have to work together to whitelist incoming traffic from test IP address during testing but blacklist those same addresses in production.
ADM: What are some additional best practices that Ad Tech companies can implement to make their test practices better?
Lunn: Eliminate the low hanging fruit so that the economics don’t favor fraud. Virtual devices are much cheaper than real hardware, so filter out traffic from simulators or emulators. Monitor the rate of ad delivery to each user, looking for anomalies. Are there devices or users that represents a superhuman frequency of ad views? Do any users appear to be actively viewing ads 24 hours a day? Usage patterns outside the norm should be flagged for investigation of fraud.
ADM: Can fraud testing practices be 100% fool proof?
Lunn: Fraud prevention is always an arms race. The ad tech industry should always be seeking to raise the cost and technical complexity for fraud so that it fails to be an appealing investment.
ADM: Does the future present more opportunities for ad fraud in campaign testing or more security checks to prevent it - i.e. is the future brighter or not?
Lunn: Cloud-device testing didn’t exist a few years ago and is still relatively expensive per device hour, but it is already cheap enough that a determined attacker can make a margin. Expect the threat to grow as prices fall, because even a small profit can make a fraudulent enterprise viable at cloud-scale. On the bright side, the cloud-based device providers are open about how to identify requests that originate from their services. Use the information that is already out there to safeguard your ads from fraud. Stay vigilant over time: monitor that information regularly for updates and stay on top of new cloud-device testing services entering the market.
About Jason Lunn
Jason is the Vice President of Software Development at Jun Group, and oversees the technology department. For the last seven years he has spearheaded the development of the company’s ad delivery platform, supporting billion of ad impressions, hundreds of millions of video views, and thousands of campaigns. Jason’s career in technology spans two decades and multiple industries including Ad Tech, eCommerce, medical billing, and the public sector. He holds a B.S. in Computer Science from the University of Maryland at College Park. When he’s not tethered to a laptop he’ll probably be found in a movie theater or running on the Hudson River Greenway.
Clouds are distributed technology platforms that leverage sophisticated technology innovations to provide highly scalable and resilient environments that can be remotely utilized by organizations in a multitude of powerful ways. To successfully build upon, integrate with, or even create a cloud environment requires an understanding of its common inner mechanics, architectural layers, and models, as well as an understanding of the business and economic factors that result from the adoption and real-world use of cloud-based services.
The ultimate hands-on Linux user guide.
Write and run code every step of the way, using Android Studio to create apps that integrate with other apps, download and display pictures from the web, play sounds, and more. Each chapter and app has been designed and tested to provide the knowledge and experience you need to get started in Android development.
How to create a profitable, sustainable business developing and marketing mobile apps.