• In-App Monetization

Keeping Your Apps Safe from Malicious Monetization SDKs

Team InMobi
10 min read
Posted on October 28, 2020

Monetization SDKs are an important source of revenue for apps but integrating with the wrong SDK can cause irreparable damage to a publisher's hard work and reputation. The hard work put into building apps needs to be sustained with commensurate continual efforts to protect them from malicious activities including those that degrade user experience and that violate user privacy.  

We have often found that while the basic security infrastructure for apps is sufficient, it is the 3rd party integrations with malicious SDKs that often compromises the apps along those lines or worse still, regularly scrape data to sell without license or even go as far as creating artificial bid streams to inflate revenue for themselves while the publishers lose out on the upside.  
 
In fact, recently, a leading monetization SDK made headlines for alleged malicious advertising practices of fraudulent reporting of click data, revenue attribution and spying on over 300 million users across 1,200 of the integrated apps. Other SDKs have also come under fire for showing inappropriate and misleading content to users, leading to phishing attacks and scams. These activities not only lead to revenue loss but also put the apps at risk of being removed from the App Store or Google Play. 

 
Benchmarking Security and Reliability of SDKs 

We recommend four factors that publishers should always consider as they decide on which monetization SDKs to work with: 

1) Existing SDK Footprint and Demand Partnerships: 

The SDK footprint of your ad monetization partner is testament to the years of dependency and trust app developers place on them. While often relegated as a statistic, the breadth of coverage of developers is always an indicator of reliability and trust that large publishing houses place on the partner. Conversely, publishers should also review the depth of demand side coverage, for example, the global and local coverage of advertisers, the direct demand-side platform (“DSP”) relationships, preferred partnership status with leading agencies, etc.  

 
2) App Safety Checks and Processes 

Publishers often assume or take on face-value the assurances of the monetization partners that they have enough checks and processes in place to ensure app safety. Quite often though, it is worth reviewing the code of the SDK as well as running randomized tests to see if the SDK has the ability to flag bad ads by blocking auto-redirects, stopping pop-ups and preventing auto downloads. In addition, publishers should ensure that the SDK technology is backed by stringent server-side ad policies and manual checks to proactively ensure that inappropriate ad content does not get served in your app. 

In addition, always check if there are any independent ecosystem partnerships that are in place on the SDK or server side to identify threats in real time, flag them and report them to the partner for debugging. Finally, it is always a good practice to check if the SDK partner is audited and certified by recognized independent bodies like the Trustworthy Accountability Group (TAG) and the Media Rating Council (MRC). 

 
3) Protecting User Privacy 

A privacy-first SDK should support any regulatory requirements that protect users within an app, be it COPPA, GDPR, CCPA or any upcoming initiative in any region. The SDK should have built-in measures for gathering user consent, server-side provisions to process the ad request based on the consent provided and a well-oiled mechanism to delete any data upon request of a user, at any point in time.  

 
4) Ensuring Measurability   

SDK is key to the measurability of key demand KPIs including viewability and install attribution. Independent measurement of in-app, post-impression events is needed to ensure that the revenue or campaign performance numbers that advertisers see aren't tampered with and events tracked and reported by third-party measurement partners provide assurance to buyers and reinforce trust. And so, while picking an SDK, it is important to understand, from the partner, how the KPIs are measured and benchmarked, be it OMSDK for viewability, Nielsen DAR for audience measurement or more recently the provision for SKAdNetwork in light of the upcoming changes for IDFA opt-out in iOS 14.  

 
Reinforcing InMobi’s Commitment Towards the Safety of Your App 

As a trusted monetization partner for the world's leading gaming and non-gaming publishers, we are humbled by the feedback we have received about our ability to provide an increasing stream of revenue while ensuring the stability you seek. Our products are built atop our SDKs that are privacy-first, secure and regularly audited by independent partners including TAG and MRC. It's also one of the reasons why we are the preferred in-app SSP for the world’s biggest media agencies and advertisers powered in turn by the largest DSPs across the globe. 

If you need any assistance or have questions as you optimize your SDK based monetization partners, feel free to get in touch with our Customer Success Managers. We would be happy to guide you through the best practices. 

Stay Up to Date

Register to our blog updates newsletter to receive the latest content in your inbox.