Device testing in the cloud empowers developers and ad fraudsters
Friday, December 8, 2017
Richard Harris |
Cloud technology may be helping developers make their apps air tight, but it's also helping commit ad fraud as well.
Cloud technology has been a game-changer for many industries. It has reduced IT costs, made updating and upgrading systems much easier, allowed businesses to scale operations quickly, and it has enabled flexible work collaboration. The cloud also has major implications on how digital ads are tested and served to millions of people globally. The opportunity to seamlessly test campaigns and product functionality on hundreds of environments and devices is great, but the potential for fraudsters to hijack the technology for nefarious activity is also elevated and could cost advertisers millions of dollars.
We sat down with Jason Lunn, Vice President Software Development at Jun Group, to find out how the cloud has impacted software and digital ad testing at large and to uncover the potential opportunities and threats that exist with the technology.
Lunn: App testing in the cloud is a powerful tool that can be used to incredible effect. That effect can be positive or negative based on how this tool is used. On the positive side, it has never been easier or more affordable for app developers to do comprehensive testing of the myriad permutations of device configurations. Concurrent execution of tests on a diversity of device types, screen sizes, operating system versions, orientations, and locales increases quality without adding the costs or delays to the release pipeline associated with manually testing those same permutations. The downside is that anyone can sign up for a testing account and use this same scalable infrastructure to run apps that are designed to generate fraudulent ad revenue.
Lunn: Today’s digital ads are highly dynamic and leverage our mobile devices’ hardware capabilities. For every release of our ad-serving SDK, testing includes exercising all of the expected behaviors of a variety of ad unit types. For example, rich media ads are designed to be touched, not just seen. They stretch to fill the endless variations of mobile device screen dimensions and seamlessly transition from portrait to landscape and back again. Pre-loaded VAST placements also require extensive testing to ensure flawless audio and visual playback with zero load time. From a campaign standpoint, testing can involve adding third party verification tags, tracking pixels, and a complex web of measurement technologies. Our product has to be able to support an ever increasing array of technologies - all of which require extensive testing.
Lunn: The same device farms that allow developers to test their apps can be used to impersonate real users viewing ads. The tests can run on real hardware devices as well as simulators and emulators. This avenue for fraud is possible without the cloud, of course, but the cloud lowers all the upfront costs of acquiring and maintaining devices. The same properties - low cost, massive scale, and device diversity - that make cloud testing attractive to app developers for legitimate testing make it an attractive tool for those attempting to perpetrate ad fraud.
Lunn: Mobile devices in the cloud are operated by programs that never sleep. A single AWS (Amazon Web Service) account can use five devices at a time, and that could translate into 28,800 fifteen-second video views a day per account. Circumventing account limits are no challenge for today’s sophisticated fraudsters. Compared to the effort required to run a 500k botnet designed to commit ad fraud, there is no challenge in creating multiple accounts with all of the cloud testing platforms. If instead of creating 34,000 fake websites, Hyphbot had created 34,000 AWS accounts, they could have generated 979,200,000 fraudulent mobile video views every day - costing advertisers millions of dollars.
Lunn: Amazon, Google, Microsoft, and many other providers deploy massive fleets of devices to power their respective cloud testing services, so a fraudulent actor can command as many devices as they can afford. The good news is that these service providers make their test IP addresses known publicly. It is straightforward to identify where requests for ads originate and to compare them to these lists. In a nutshell, publishers, vendors, and advertisers have to work together to whitelist incoming traffic from test IP address during testing but blacklist those same addresses in production.
Lunn: Eliminate the low hanging fruit so that the economics don’t favor fraud. Virtual devices are much cheaper than real hardware, so filter out traffic from simulators or emulators. Monitor the rate of ad delivery to each user, looking for anomalies. Are there devices or users that represents a superhuman frequency of ad views? Do any users appear to be actively viewing ads 24 hours a day? Usage patterns outside the norm should be flagged for investigation of fraud.
Lunn: Fraud prevention is always an arms race. The ad tech industry should always be seeking to raise the cost and technical complexity for fraud so that it fails to be an appealing investment.
Lunn: Cloud-device testing didn’t exist a few years ago and is still relatively expensive per device hour, but it is already cheap enough that a determined attacker can make a margin. Expect the threat to grow as prices fall, because even a small profit can make a fraudulent enterprise viable at cloud-scale. On the bright side, the cloud-based device providers are open about how to identify requests that originate from their services. Use the information that is already out there to safeguard your ads from fraud. Stay vigilant over time: monitor that information regularly for updates and stay on top of new cloud-device testing services entering the market.
Jason is the Vice President of Software Development at Jun Group, and oversees the technology department. For the last seven years he has spearheaded the development of the company’s ad delivery platform, supporting billion of ad impressions, hundreds of millions of video views, and thousands of campaigns. Jason’s career in technology spans two decades and multiple industries including Ad Tech, eCommerce, medical billing, and the public sector. He holds a B.S. in Computer Science from the University of Maryland at College Park. When he’s not tethered to a laptop he’ll probably be found in a movie theater or running on the Hudson River Greenway.
We sat down with Jason Lunn, Vice President Software Development at Jun Group, to find out how the cloud has impacted software and digital ad testing at large and to uncover the potential opportunities and threats that exist with the technology.
ADM: How does the cloud impact testing?
Lunn: App testing in the cloud is a powerful tool that can be used to incredible effect. That effect can be positive or negative based on how this tool is used. On the positive side, it has never been easier or more affordable for app developers to do comprehensive testing of the myriad permutations of device configurations. Concurrent execution of tests on a diversity of device types, screen sizes, operating system versions, orientations, and locales increases quality without adding the costs or delays to the release pipeline associated with manually testing those same permutations. The downside is that anyone can sign up for a testing account and use this same scalable infrastructure to run apps that are designed to generate fraudulent ad revenue.
ADM: How are campaigns tested today?
Lunn: Today’s digital ads are highly dynamic and leverage our mobile devices’ hardware capabilities. For every release of our ad-serving SDK, testing includes exercising all of the expected behaviors of a variety of ad unit types. For example, rich media ads are designed to be touched, not just seen. They stretch to fill the endless variations of mobile device screen dimensions and seamlessly transition from portrait to landscape and back again. Pre-loaded VAST placements also require extensive testing to ensure flawless audio and visual playback with zero load time. From a campaign standpoint, testing can involve adding third party verification tags, tracking pixels, and a complex web of measurement technologies. Our product has to be able to support an ever increasing array of technologies - all of which require extensive testing.
ADM: What types of fraud does the cloud enable?
Lunn: The same device farms that allow developers to test their apps can be used to impersonate real users viewing ads. The tests can run on real hardware devices as well as simulators and emulators. This avenue for fraud is possible without the cloud, of course, but the cloud lowers all the upfront costs of acquiring and maintaining devices. The same properties - low cost, massive scale, and device diversity - that make cloud testing attractive to app developers for legitimate testing make it an attractive tool for those attempting to perpetrate ad fraud.
ADM: What could the scale of campaign testing fraud be in terms of dollars, impressions, and overall advertiser cost?
Lunn: Mobile devices in the cloud are operated by programs that never sleep. A single AWS (Amazon Web Service) account can use five devices at a time, and that could translate into 28,800 fifteen-second video views a day per account. Circumventing account limits are no challenge for today’s sophisticated fraudsters. Compared to the effort required to run a 500k botnet designed to commit ad fraud, there is no challenge in creating multiple accounts with all of the cloud testing platforms. If instead of creating 34,000 fake websites, Hyphbot had created 34,000 AWS accounts, they could have generated 979,200,000 fraudulent mobile video views every day - costing advertisers millions of dollars.
ADM: How are industry-leading Ad Tech companies providing transparency and assurance with campaign testing and are vendors communicating this to clients?
Lunn: Amazon, Google, Microsoft, and many other providers deploy massive fleets of devices to power their respective cloud testing services, so a fraudulent actor can command as many devices as they can afford. The good news is that these service providers make their test IP addresses known publicly. It is straightforward to identify where requests for ads originate and to compare them to these lists. In a nutshell, publishers, vendors, and advertisers have to work together to whitelist incoming traffic from test IP address during testing but blacklist those same addresses in production.
Jason Lunn, VP of Software Development,
Jun Group
Jun Group
ADM: What are some additional best practices that Ad Tech companies can implement to make their test practices better?
Lunn: Eliminate the low hanging fruit so that the economics don’t favor fraud. Virtual devices are much cheaper than real hardware, so filter out traffic from simulators or emulators. Monitor the rate of ad delivery to each user, looking for anomalies. Are there devices or users that represents a superhuman frequency of ad views? Do any users appear to be actively viewing ads 24 hours a day? Usage patterns outside the norm should be flagged for investigation of fraud.
ADM: Can fraud testing practices be 100% fool proof?
Lunn: Fraud prevention is always an arms race. The ad tech industry should always be seeking to raise the cost and technical complexity for fraud so that it fails to be an appealing investment.
ADM: Does the future present more opportunities for ad fraud in campaign testing or more security checks to prevent it - i.e. is the future brighter or not?
Lunn: Cloud-device testing didn’t exist a few years ago and is still relatively expensive per device hour, but it is already cheap enough that a determined attacker can make a margin. Expect the threat to grow as prices fall, because even a small profit can make a fraudulent enterprise viable at cloud-scale. On the bright side, the cloud-based device providers are open about how to identify requests that originate from their services. Use the information that is already out there to safeguard your ads from fraud. Stay vigilant over time: monitor that information regularly for updates and stay on top of new cloud-device testing services entering the market.
About Jason Lunn
Jason is the Vice President of Software Development at Jun Group, and oversees the technology department. For the last seven years he has spearheaded the development of the company’s ad delivery platform, supporting billion of ad impressions, hundreds of millions of video views, and thousands of campaigns. Jason’s career in technology spans two decades and multiple industries including Ad Tech, eCommerce, medical billing, and the public sector. He holds a B.S. in Computer Science from the University of Maryland at College Park. When he’s not tethered to a laptop he’ll probably be found in a movie theater or running on the Hudson River Greenway.
Become a subscriber of App Developer Magazine for just $5.99 a month and take advantage of all these perks.
MEMBERS GET ACCESS TO
- - Exclusive content from leaders in the industry
- - Q&A articles from industry leaders
- - Tips and tricks from the most successful developers weekly
- - Monthly issues, including all 90+ back-issues since 2012
- - Event discounts and early-bird signups
- - Gain insight from top achievers in the app store
- - Learn what tools to use, what SDK's to use, and more
Subscribe here