[Chrome for Android] Fraud Detection through impossible OS-/Chrome-Version combinations?
102 views
Skip to first unread message
Frank Maschmeier
Aug 22, 2018, 2:23:35 AM8/22/18
to Chromium-discuss
Dear experts,
while filtering fraudulent mobile traffic we make use of abnormalities in the User Agent (UA) since fraudsters tend to fake such UAs.
So far a few impossible and also very uncommon combinations of Android-OS-Versions vs. Chrome-Versions were found. For the uncommon ones the bullet proof evidence for fraud is missing. Such evidence might be given by answers to following questions which I was unable to answer after extensive web search:
1) Does Android OS Version X (when pre-installed on device - not via update) comes with or forces a specific/minimum Chrome Version a) in Webview-Apk b) with standalone Chrome-App or does both need to be updated through Play Store and therefore can "stay old" once "Automatic Update" is disabled?
Known facts:
i) Chrome 30.0.0.0 is only valid with Android 4.4 to 4.4.2 (and stands for Webview).
ii) Chrome 33.0.0.0 is only valid with Android 4.4.3 (and stands for Webview).
iii) From Android OS Version 5 (Lollipop) Chrome User Agents can stand for the separate Webview-APK (includes "wv" in UA) or the standalone Chrome-APK whereas both share identical version numbers.
iv) From Android Version 8, if standalone Chrome-App is installed, the Webview-APK will be disabled and the Webview uses the source code of Chrome-APK instead.
v) When looking at traffic from Android 8+, statistical relevance starts with Chrome Version 56. Still older version show up in small numbers, but might be coming from fraudulent sources.
Ideal outcome (just as an example):
...
Android 8.0 - Webview -> Minimum Chrome Version xx.x.xxxx
Android 8.0 - Standalone -> no minimum Chrome Version
Android 8.1 - Webview -> Minimum Chrome Version xx.x.xxxx
Android 8.1 - Standalone -> no minimum Chrome Version
...
2) Does an Android OS Update also update or forces the Update of a) the Webview-APK b) Chrome-Browser-APK?
I expect that 2b) is rather not included in Android-Update.
3) Does certain Chrome-Browser-APK-Versions require a minimum Android OS Version requirement?
For Webview APK Google Play store says Minimum 5.0
For Chrome APK it says "depends on device" -> if so, is there a list of device -> minimum-OS-Version available somewhere?
Thank you for your help & best regards,
Frank
Torne (Richard Coles)
Aug 22, 2018, 11:10:47 AM8/22/18
to f.masc...@spykemedia.com, Chromium-discuss
On Wed, 22 Aug 2018 at 02:23 Frank Maschmeier <f.masc...@spykemedia.com> wrote:
1) Does Android OS Version X (when pre-installed on device - not via update) comes with or forces a specific/minimum Chrome Version a) in Webview-Apk
Yes; each OS version has a minimum WebView version that is required for the OS to function correctly, but devices ship with a newer webview version than the minimum preinstalled in many cases. We don't have an easily accessible list anywhere of what these minimum versions are.
b) with standalone Chrome-App
Chrome doesn't have the same compatibility concerns - generally the chrome and webview versions preinstalled will be the same, but this isn't guaranteed.
iv) From Android Version 8, if standalone Chrome-App is installed, the Webview-APK will be disabled and the Webview uses the source code of Chrome-APK instead.
This is incorrect; the ability to use Chrome as the WebView implementation was introduced in Android 7 (Nougat).
v) When looking at traffic from Android 8+, statistical relevance starts with Chrome Version 56. Still older version show up in small numbers, but might be coming from fraudulent sources.Ideal outcome (just as an example):...Android 8.0 - Webview -> Minimum Chrome Version xx.x.xxxxAndroid 8.0 - Standalone -> no minimum Chrome VersionAndroid 8.1 - Webview -> Minimum Chrome Version xx.x.xxxxAndroid 8.1 - Standalone -> no minimum Chrome Version...
This is also incorrect. There is no way for you to tell the difference, server side, between the different WebView implementations: whether it's provided by the WebView APK or the Chrome APK, the useragent and all other behaviour are identical (and if they are not, that would be a bug in the WebView implementation).
WebView always requires a certain minimum version based on the OS version, regardless of which APK is providing it, but as I said, we don't really have a list of these anywhere.
2) Does an Android OS Update also update or forces the Update of a) the Webview-APK b) Chrome-Browser-APK?
After an Android OS update the user will always be left with a webview implementation that is no older than the one preinstalled in the OS, but this isn't guaranteed to be either APK in particular (the systems that make sure this works are quite complex).
Since Chrome comes in multiple side-by-side installable channels (stable, beta, dev, canary), it's possible for users to have another channel of Chrome installed which is *older* than the stable version that is preinstalled in their OS - nothing prevents an Android 8.1 device from having a very old version of chrome also installed in another channel, and you cannot tell which channel the user is using from the serverside (it's not included in the useragent).
I expect that 2b) is rather not included in Android-Update.
Both WebView and Chrome APKs are often included in Android OS updates, but the version in the OS update is not guaranteed to be newer than the version that the user already has updated from the Play Store, so the existing play store updated version will continue to be used if it's newer.
3) Does certain Chrome-Browser-APK-Versions require a minimum Android OS Version requirement?For Webview APK Google Play store says Minimum 5.0For Chrome APK it says "depends on device" -> if so, is there a list of device -> minimum-OS-Version available somewhere?
It doesn't depend on the device. There is a different copy of the Chrome APK depending on which android OS version the device has, but these copies of Chrome are all the same version and will have the saem useragent and identical behaviour - they are just packaged differently to be most efficient for the different OS versions' requirements. There is a current version of Chrome for all Android versions 4.1 and up; Android 4.0 used to be supported but is no longer updated (the last version for 4.0 was Chrome 42).
Hopefully this makes things somewhat clear: in general you can't make very many assumptions about what combinations are valid because most combinations are ok.
Also, many devices which do not include the Google Play Store, or which have custom ROMs installed, may have very unusual but valid configurations, because these device images aren't necessarily following any of the distribution rules for the Google apps.
Frank Maschmeier
Aug 23, 2018, 10:17:24 AM8/23/18
to Chromium-discuss, f.masc...@spykemedia.com
Thank you so much for taking the time giving such a detailed answer. It definitely helps.
A 6-digit subset of app install click data provided from a fraud detection company shows 15% of app installs on Android 8.x with Chrome Version 18. With your info I consider at least this as proven fraud.
For the non-webview browsers I guess I will then continue with the approach on looking at the variation in comparison to to the expected Chrome Version distribution.
It's a pitty that there isn't such list of minimum Chrome-Version per Android-OS-Version/-Update (for webview). If somebody has an idea how to obtain (e.g. from extracting source-code or else), please let me know. Else, I guess I will just buy a few old phones and test it myself.
Again, thanks a lot.
Torne (Richard Coles)
Aug 23, 2018, 11:04:36 AM8/23/18
to f.masc...@spykemedia.com, Chromium-discuss
On Thu, 23 Aug 2018, 10:17 am Frank Maschmeier, <f.masc...@spykemedia.com> wrote:
Thank you so much for taking the time giving such a detailed answer. It definitely helps.A 6-digit subset of app install click data provided from a fraud detection company shows 15% of app installs on Android 8.x with Chrome Version 18. With your info I consider at least this as proven fraud.
There are other browsers based on chromium that may not be updated on the same schedules - most of these identify themselves by adding additional information to the user agent, but they might not all do so. Some of these browsers are quite outdated, though 18 is a loooong time ago and does seem quite unlikely.
For the non-webview browsers I guess I will then continue with the approach on looking at the variation in comparison to to the expected Chrome Version distribution.It's a pitty that there isn't such list of minimum Chrome-Version per Android-OS-Version/-Update (for webview). If somebody has an idea how to obtain (e.g. from extracting source-code or else), please let me know. Else, I guess I will just buy a few old phones and test it myself.
As I said you can't tell this information by looking at phones, because devices typically ship with the latest version of chrome and webview that was available at the time that that device's ROM image was built, so different phones on the exact same Android version might come with totally different preinstalled versions. You'd want to check the AOSP sources to see which version was included in the original, non-updated version of each major OS update (API level), as that is the actual minimum that is supported.
--Again, thanks a lot.
--
Chromium Discussion mailing list: chromium...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss
Reply all
Reply to author
Forward
0 new messages