Fraud

Fraud is available on the Enterprise plan.

Fraud detects GPS spoofing, proxy and VPN usage, and device tampering.

With Regions, you can also detect a user's country and state and mark specific regions as allowed or denied to comply with regulations.

Together, Fraud and Regions provide the following user context:

{  "fraud": {    "passed": false,    "bypassed": false,    "verified": true,    "mocked": true,    "jumped": false,    "compromised": false,    "proxy": false,    "sharing": false  },  "country": {    "code": "US",    "name": "United States",    "flag": "🇺🇸",    "allowed": true  },  "state": {    "code": "MD",    "name": "Maryland",    "allowed": false  }}

How it works

You can call Radar.trackOnce() to accurately detect a user's current geofences, current place, or current country and state.

However, users can spoof a device's location. For example, a gambling app user may spoof their location to access sports betting features only available in specific states. Or, a retail app user may spoof their location to access offers only available inside a store geofence.

To ensure you can trust a user's location, you can call Radar.trackVerified() instead. Radar will collect a variety of fraud signals and perform fraud checks, exposing flags that you can use for fraud detection and location verification in your app.

Fraud flags

If you call Radar.trackVerified(), Radar exposes the following flags in user.fraud:

• mocked: Indicates whether a user's location is being mocked, such as in a simulator or using a location spoofing app (e.g., Fake GPS location).
• compromised: Indicates whether the user's device or app has been compromised according to the Play Integrity API on Android.
• jumped: Indicates whether the user moved too far too fast (e.g., "jumped" across the country in only a few seconds).
• sharing: Indicates whether the user is screen sharing (e.g., using TeamViewer).
• proxy: Indicates whether the user's IP address is a known proxy, VPN, Tor exit node, etc.
• verified: Indicates whether the request was made with SSL pinning configured successfully.

While you can work with individual flags, Radar also exposes a single user.fraud.passed flag that indicates whether all fraud checks passed.

Bypassing checks for testing

If desired, you can bypass fraud checks for individual users using the Mark as Bypassed button on the user detail page.

If a user is marked as bypassed, user.fraud.bypassed = true and user.fraud.passed = true, regardless of whether the user passes fraud checks.

Blocking users

You can also manually block a user using the Mark as Blocked button on the user detail page.

If a user is blocked, user.fraud.blocked = true and user.fraud.passed = false, regardless of whether the user passes fraud checks.

Allowed states and countries

With Regions, you can mark specific states and countries as allowed or denied to comply with regulations. For example, a gambling app may only be allowed to operate in specific states.

If you call Radar.trackVerified(), Radar exposes your settings in user.country.allowed and user.state.allowed.

Configuring SSL pinning

To prevent man-in-the-middle attacks, you should configure SSL pinning before calling Radar.trackVerified().

On iOS, add the following to your Info.plist file:

<key>NSAppTransportSecurity</key><dict>    <key>NSAllowsArbitraryLoads</key>    <false/>    <key>NSPinnedDomains</key>    <dict>        <key>api-verified.radar.io</key>        <dict>            <key>NSIncludesSubdomains</key>            <true/>            <key>NSPinnedLeafIdentities</key>            <array>                <dict>                    <key>SPKI-SHA256-BASE64</key>                    <string>15ktYXSSU2llpy7YyCgeqUKDBkjcimK/weUcec960sI=</string>                </dict>                <dict>                    <key>SPKI-SHA256-BASE64</key>                    <string>15ktYXSSU2llpy7YyCgeqUKDBkjcimK/weUcec960sI=</string>                </dict>            </array>        </dict>    </dict></dict>

Learn more about SSL pinning on iOS.

On Android, add a res/xml/network_security_config.xml file:

<?xml version="1.0" encoding="utf-8"?><network-security-config>    <domain-config cleartextTrafficPermitted="false">        <domain includeSubdomains="true">api-verified.radar.io</domain>        <pin-set>            <pin digest="SHA-256">15ktYXSSU2llpy7YyCgeqUKDBkjcimK/weUcec960sI=</pin>            <pin digest="SHA-256">15ktYXSSU2llpy7YyCgeqUKDBkjcimK/weUcec960sI=</pin>        </pin-set>    </domain-config></network-security-config>

Learn more about Network Security Configuration on Android.

Verifying user locations

Client-side, you can verify a user's location with just a few lines of code:

Swift

Radar.trackVerified { (status, location, events, user) in  if user?.fraud?.passed == true &&    user?.country?.allowed == true &&    user?.state?.allowed == true {    // allow access to feature  } else {    // deny access to feature  }}

Kotlin

Radar.trackVerified { status, location, events, user ->  if (user?.fraud?.passed == true &&    user.country?.allowed == true &&    user.state?.allowed == true) {    // allow access to feature  } else {    // deny access to feature  }}

Fraud is not yet supported with Radar.startTracking().

Server-side, you can also get a user and check fraud flags server-side for an additional layer of verification:

curl "https://api.radar.io/v1/users/56db1f4613012711002229f4" \  -H "Authorization: prj_live_sk_..."