Fraud Squad Field Notes is a multipart series that will cover a variety of topics related to user fraud and waste within mobile app marketing. With insights directly from the mCent fraud team, we will discuss industry trends, methodologies, and share observations from our audience data.
On device identifiers: Why hardware
serial number isn’t always the best option.
In a recent post we began a discussion around device identifiers for mobile and focused on one of the most commonly used device identifiers: the so-called IMEI or MEID number (commonly referred to as simply the
Today, I’d like to provide a quick description of another such identifier along with a cautionary note about why it is not necessarily a reliable method for identifying a unique mobile device: the hardware
What is the hardware
serial number of a mobile device is an alphanumeric identifier assigned by the manufacturer that is stored in hardware, is unique to the device, and should never change throughout that device’s lifetime. It is not controlled by Google or the Android OS (much like
advertising_id), it won’t change upon factory reset, it is not easily changed or disabled by the user, and it should be persistent throughout the lifetime of the device.
In practice, it can be accessed through the Android API as
android.os.Build.SERIAL (available as such since Android 2.3 “Gingerbread”).
In theory the
serial number sounds like a great candidate for use as an identifier. In practice, however, we find that
serial number often falls short and should be used with caution by app developers when tracking installs:
- As with all device identifiers, the
serialnumber can easily be faked by users who are intent on committing fraudulent behavior.
- There is no standard format or validation methodology. Unlike
advertising_idor IMEI/MEID numbers, there is no specific format that
serialnumbers must follow. This makes it difficult to detect invalid
serialnumbers when analyzing your traffic. It is also common for OEMs to simply use the make or model of the device itself here.
- Only devices without telephony are required to report a
serialnumber. In practice, we find that some manufacturers will include a
serialnumber regardless of whether the device will be connected to telephony, however in a large number of cases phones with telephony will report a
- Generic values are extremely common. There are few standards for
serialnumbers, and in many cases we find that OEMs will simply input generic values or use the same
serialnumber for an entire manufacturing batch of devices (this is particularly common in the emerging markets where mCent operates). At first glance this might seem like fraudulent or duplicate traffic, however these patterns are present in perfectly legitimate traffic.
To quantify the size and scope of the points made above, here are some statistics on a sample of 675,102 devices from Indonesian, Indian, and Brazilian mCent users:
- 44.9% reported a NULL value, consistent with point #3 above.
- 18.9% reported a value of
'0123456789ABCDEF'. The first time I saw this I thought it was a fraudulent value, until I realized that this was the value my own test device uses (my test device was manufactured by a leading India OEM).
- 809 simply read ‘SpiceMi506’, consistent with point #2 (in fact there were many other instances of such behavior).
In summary, although
serial might seem like a good candidate for identifying installs and analyzing app traffic, there are many cases where it fails. For app developers looking for a reliable means of identifying their traffic, they are best suited looking to other identifiers, using a proprietary identifier, or building out a fingerprinting solution that can uniquely identify a device and be robust against fraudulent tampering.
Interested in building out fingerprinting and learning more about stopping fraudulent traffic? Great! We’re hiring.