Fraud Squad Field Notes: Part 3

Fraud Squad Field Notes is a multipart series that will cover a variety of topics related to user fraud and waste within mobile app marketing. With insights directly from the mCent fraud team, we will discuss industry trends, methodologies, and share observations from our audience data.

On device identifiers: Why hardware serial number isn’t always the best option.

In a recent post we began a discussion around device identifiers for mobile and focused on one of the most commonly used device identifiers:  the so-called IMEI or MEID number (commonly referred to as simply the device_id).

Today, I’d like to provide a quick description of another such identifier along with a cautionary note about why it is not necessarily a reliable method for identifying a unique mobile device:  the hardware serial number.

What is the hardware serial number?

The serial number of a mobile device is an alphanumeric identifier assigned by the manufacturer that is stored in hardware, is unique to the device, and should never change throughout that device’s lifetime. It is not controlled by Google or the Android OS (much like andriod_id and advertising_id), it won’t change upon factory reset, it is not easily changed or disabled by the user, and it should be persistent throughout the lifetime of the device.

In practice, it can be accessed through the Android API as android.os.Build.SERIAL (available as such since Android 2.3 “Gingerbread”).

In theory the serial number sounds like a great candidate for use as an identifier.  In practice, however, we find that serial number often falls short and should be used with caution by app developers when tracking installs:

  1. As with all device identifiers, the serial number can easily be faked by users who are intent on committing fraudulent behavior.
  2. There is no standard format or validation methodology. Unlike advertising_id or IMEI/MEID numbers,  there is no specific format that serial numbers must follow.  This makes it difficult to detect invalid serial numbers when analyzing your traffic. It is also common for OEMs to simply use the make or model of the device itself here.
  3. Only devices without telephony are required to report a serial number.  In practice, we find that some manufacturers will include a serial number regardless of whether the device will be connected to telephony, however in a large number of cases phones with telephony will report a NULL value  to android.os.Build.serial.
  4. Generic values are extremely common. There are few standards for serial numbers, and in many cases we find that OEMs will simply input generic values or use the same serial number for an entire manufacturing batch of devices (this is particularly common in the emerging markets where mCent operates). At first glance this might seem like fraudulent or duplicate traffic, however these patterns are present in perfectly legitimate traffic.

To quantify the size and scope of the points made above, here are some statistics on a sample of 675,102 devices from Indonesian, Indian, and Brazilian mCent users:

  • 44.9% reported a NULL value, consistent with point #3 above.
  • 18.9% reported a value of '0123456789ABCDEF'. The first time I saw this I thought it was a fraudulent value, until I realized that this was the value my own test device uses (my test device was manufactured by a leading India OEM).
  • 809 simply read ‘SpiceMi506’, consistent with point #2 (in fact there were many other instances of such behavior).

In summary, although serial might seem like a good candidate for identifying installs and analyzing app traffic, there are many cases where it fails. For app developers looking for a reliable means of identifying their traffic, they are best suited looking to other identifiers, using a proprietary identifier, or building out a fingerprinting solution that can uniquely identify a device and be robust against fraudulent tampering.

Interested in building out fingerprinting and learning more about stopping fraudulent traffic?  Great!  We’re hiring.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s