Fraud
With Fraud, you can detect GPS spoofing, proxy and VPN usage, and device tampering.
Along with Regions, you can also detect a user's country and state and mark specific regions as allowed or blocked to comply with regulations.
Together, Fraud and Regions provide the following user context:
{ "fraud": { "verified": true, "passed": false, "bypassed": false, "blocked": false, "mocked": true, "jumped": false, "compromised": false, "inaccurate": false, "proxy": false, "sharing": false, "lastMockedAt": "2023-07-27T17:18:28.536Z", "lastJumpedAt": "2023-07-27T17:18:28.536Z", "lastCompromisedAt": null, "lastInaccurateAt": null, "lastProxyAt": null, "lastSharingAt": null }, "country": { "code": "US", "name": "United States", "flag": "🇺🇸", "passed": true, "allowed": true }, "state": { "code": "NJ", "name": "New Jersey", "passed": true, "allowed": true, "distanceToBorder": 1092, "inBufferZone": false, "inExclusionZone": false }}
#
QuickstartFirst, sign up for Radar and get an API key.
Then, enable Fraud on the Settings page.
From there, integrate the SDK, complete the steps below, and call Radar.trackVerified()
or Radar.startTrackingVerified()
. Radar will perform fraud and jurisdiction checks as described below.
#
How it worksYou can call Radar.trackOnce()
to accurately detect a user's current geofences, current place, or current country and state.
However, users can spoof a device's location. For example, a gaming app user may spoof their location to access sports betting features only available in specific states. Or, a retail app user may spoof their location to access offers only available inside a store geofence.
To ensure you can trust a user's location, you can call Radar.trackVerified()
instead. Radar will collect a variety of fraud signals and perform fraud and jurisdiction checks, calculating flags and a signed geolocation token that you can use for fraud detection and geo-compliance in your app.
#
Fraud flagsIf fraud detection is enabled, Radar exposes the following flags in user.fraud
:
mocked
: Indicates whether a user's location is being mocked, such as in a simulator or using a location spoofing app (e.g., Fake GPS location).jumped
: Indicates whether the user moved too far too fast (e.g., "jumped" across the country in only a few seconds).compromised
: Indicates whether the user's device or app has been compromised (e.g., rooted, jailbroken) according to the Play Integrity API on Android or App Attest service on iOS.inaccurate
: Indicates whether the user's location accuracy is too low to pass verification.sharing
: Indicates whether the user is using screen sharing or remote desktop software (e.g., using TeamViewer).proxy
: Indicates whether the user's IP address is a known proxy or VPN.verified
: Indicates whether the request was made withRadar.trackVerified()
.
While you can work with individual flags, Radar also exposes a single user.fraud.passed
flag that indicates whether all fraud checks passed.
Additionally, the lastMockedAt
, lastJumpedAt
, lastCompromisedAt
, lastInaccurateAt
, lastProxyAt
, and lastSharingAt
timestamps indicate the last time that the user failed each fraud check.
Finally, more detailed failure reasons are also exposed.
#
Bypassing checks for testingIf desired, you can bypass fraud checks for individual users using the Mark as Bypassed button on the user detail page.
If a user is marked as bypassed, user.fraud.bypassed = true
and user.fraud.passed = true
, regardless of whether the user passes fraud checks.
#
Blocking usersYou can also manually block a user using the Mark as Blocked button on the user detail page.
If a user is blocked, user.fraud.blocked = true
and user.fraud.passed = false
, regardless of whether the user passes fraud checks.
#
Allowed states and countriesWith Regions, you can mark specific countries or states as allowed or blocked to comply with regulations. For example, a sportsbook or daily fantasy sports app may only be allowed to operate in specific US states.
Radar exposes your settings in user.country.allowed
and user.state.allowed
.
Additionally, you can enable buffer zones and exclusion zones for different states. If buffer zones and exclusion zones are enabled, user.state.inBufferZone
and user.state.inExclusionZone
indicates whether the user is within a buffer zone or exclusion zone.
While you can work with individual flags, Radar also exposes user.state.passed
and user.country.passed
flags that indicate whether all jurisdiction checks passed.
Finally, more detailed failure reasons are also exposed.
#
Platform-specific configuration#
Android#
Initialize SDKTo support the sharing
flag on Android, pass fraud = true
to Radar.initialize()
.
Radar.initialize( context = this, publishableKey = "prj_test_pk_...", fraud = true)
#
Play Integrity APITo support the compromised
flag on Android, enable the Play Integrity API on the Settings page.
If the user's device or app does not meet basic integrity checks, user.fraud.compromised = true
.
You must add the Play Integrity API dependency before calling Radar.trackVerified()
.
Add the dependency to the dependencies
section of your app's build.gradle
file:
dependencies { implementation 'com.google.android.play:integrity:1.2.0'}
If Radar.trackVerified()
returns ERROR_FORBIDDEN
, check the logs. The Play Services version on the device may be out of date.
#
SSL pinningTo enable SSL pinning and prevent man-in-the-middle attacks, add a res/xml/network_security_config.xml
file:
<?xml version="1.0" encoding="utf-8"?><network-security-config> <!-- for React Native --> <domain-config cleartextTrafficPermitted="true"> <domain includeSubdomains="true">localhost</domain> </domain-config>
<!-- for SSL pinning --> <domain-config cleartextTrafficPermitted="false"> <domain includeSubdomains="true">api-verified.radar.io</domain> <pin-set> <pin digest="SHA-256">15ktYXSSU2llpy7YyCgeqUKDBkjcimK/weUcec960sI=</pin> <pin digest="SHA-256">15ktYXSSU2llpy7YyCgeqUKDBkjcimK/weUcec960sI=</pin> </pin-set> </domain-config></network-security-config>
Learn more about Network Security Configuration on Android.
#
iOS#
App AttestTo support the compromised
flag on iOS, enable App Attest and configure a list of valid App IDs (e.g., A1B2C3D4E5.com.yourapp.app1,A1B2C3D4E5.com.yourapp.app2
) on the Settings page.
If App Attest indicates that the user's device or app has been compromised, user.fraud.compromised = true
.
App Attest requires iOS 14 and above. If Radar.trackVerified()
returns ERROR_FORBIDDEN
, check the logs. The iOS version on the device may not support App Attest.
#
SSL pinningTo enable SSL pinning and prevent man-in-the-middle attacks, add the following to your Info.plist
file:
<key>NSAppTransportSecurity</key><dict> <key>NSAllowsArbitraryLoads</key> <false/> <key>NSPinnedDomains</key> <dict> <key>api-verified.radar.io</key> <dict> <key>NSIncludesSubdomains</key> <true/> <key>NSPinnedLeafIdentities</key> <array> <dict> <key>SPKI-SHA256-BASE64</key> <string>15ktYXSSU2llpy7YyCgeqUKDBkjcimK/weUcec960sI=</string> </dict> <dict> <key>SPKI-SHA256-BASE64</key> <string>15ktYXSSU2llpy7YyCgeqUKDBkjcimK/weUcec960sI=</string> </dict> </array> </dict> </dict></dict>
Learn more about SSL pinning on iOS.
#
Web and desktopThe web SDK supports a companion app solution and a pure-JavaScript no-download solution.
The companion app solution uses the Radar Verify apps to support remote desktop detection with the sharing
flag, more advanced mocked
and proxy
detection, and more stable device IDs. Download the Radar Verify Mac app or the Radar Verify Windows app. By default, Radar.trackVerified()
expects the Radar Verify app to be running and returns ERROR_VERIFY_APP
if it is not.
To skip the Radar Verify app and use the no-download solution, pass { skipVerifyApp: true }
to Radar.trackVerified()
, Radar.startTrackingVerified()
, and Radar.getVerifiedLocationToken()
.
#
Verifying user locationsOnce the above configuration is complete, you can perform location checks and verify a user's location with just a few lines of code.
Choose your implementation pattern depending on your use cases:
- Less regulated gaming implementations, non-US gaming implementations, and non-gaming implementations should generally choose Manual location checks and, on web, the no-download solution.
- US sportsbook and iGaming implementations should generally choose Automatic location checks with caching and, on web, the companion app solution.
#
Manual location checksYou can call Radar.trackVerified()
to manually perform a location check. Radar.trackVerified()
returns a RadarVerifiedLocationToken
with:
passed
: A boolean indicating whether the user passed all fraud and jurisdiction checks (user.fraud.passed && user.country.passed && user.state.passed
).token
: A tamper-proof JSON Web Token (JWT) that you can send to your server to validate the signature, signed with the JSON Web Token (JWT) Secret Key found under Fraud on the Settings page.failureReasons
: Ifpassed == false
, an array of more detailed failure reasons.expiresAt
: The datetime when the token expires, by default in 20 minutes, but earlier when close to the border (e.g., 1 minute within 1 mile of the border in New Jersey).expiresIn
: The number of seconds until the token expires.user
: The user, with detailed information inuser.fraud
,user.country
, anduser.state
.events
: The events generated, if any.
- Swift
- Kotlin
- Web
- React Native
- Capacitor
- Flutter
Radar.trackVerified { (status, token) in if token?.passed == true { // allow access, send token to server } else { // deny access, show error message }}
Radar.trackVerified { status, token -> if (token?.passed == true) { // allow access, send token to server } else { // deny access, show error message }}
const skipVerifyApp = false // use true for no-download solution
Radar.trackVerified({ skipVerifyApp }).then((result) => { const { passed, token, expiresIn, user } = result; if (passed) { // allow access, send token to server } else { // deny access, show error message }}).catch((err) => { // deny access, show error message});
Radar.trackVerified().then((result) => { const { token } = result; if (token?.passed) { // allow access, send token to server } else { // deny access, show error message }}).catch((err) => { // deny access, show error message});
Radar.trackVerified().then((result) => { const { token } = result; if (token?.passed) { // allow access, send token to server } else { // deny access, show error message }}).catch((err) => { // deny access, show error message});
var res = await Radar.trackVerified();
You can send the JWT to your server and validate the signature using a JWT library. For example, in JavaScript:
const jwt = require('jsonwebtoken');
try { const decoded = jwt.verify(token, SECRET_KEY); const { user } = decoded; // token is valid, check payload to allow or deny access} catch (err) { // token is invalid, deny access, show error message}
#
Automatic location checks with cachingYou can call Radar.startTrackingVerified()
automatically perform location checks on connection changes, on the specified interval
, or more frequently if token.expiresIn < interval
(based on current state, distance to border, and so on).
Instead of calling Radar.trackVerified()
, which always fetches a fresh location token, you can call Radar.getVerifiedLocationToken()
, which returns a cached location token immediately if the last location token is still valid, or fetches a fresh location token if not.
If you set a delegate on iOS with Radar.setVerifiedDelegate()
or a receiver on Android with Radar.setVerifiedReceiver()
, fresh location tokens are also delivered to RadarVerifiedDelegate.didUpdateToken()
and RadarVerifiedReceiver.onTokenUpdated()
, respectively.
For example, to automatically verify the user's location at least every 20 minutes (1200 seconds), without ranging beacons:
- Swift
- Kotlin
- Web
- React Native
- Capacitor
- Flutter
Radar.setVerifiedDelegate(delegate)
Radar.startTrackingVerified(interval: 1200, beacons: false)
// get a cached token if available, or fetch a fresh token if notRadar.getVerifiedLocationToken { (status, token) in if token?.passed == true { // allow access, send token to server } else { // deny access, show error message }}
// delivers fresh tokens to RadarVerifiedDelegatefunc didUpdateToken(_ token: RadarVerifiedLocationToken) { // send token to server}
Radar.setVerifiedReceiver(receiver)
Radar.startTrackingVerified(interval = 1200, beacons = false)
// get a cached token if available, or fetch a fresh token if notRadar.getVerifiedLocationToken { (status, token) in if (token?.passed == true) { // allow access, send token to server } else { // deny access, show error message }}
// delivers fresh tokens to RadarVerifiedReceiveroverride fun onTokenUpdated(context: Context, token: RadarVerifiedLocationToken) { // send token to server}
const skipVerifyApp = false // use true for no-download solution
Radar.startTrackingVerified({ skipVerifyApp, interval: 1200 });
// get a cached token if available, or fetch a fresh token if notRadar.getVerifiedLocationToken({ skipVerifyApp }).then((result) => { const { passed, token, expiresIn, user } = result; if (passed) { // allow access, send token to server } else { // deny access, show error message }}).catch((err) => { // deny access, show error message});
Radar.onTokenUpdated((result) => { const { passed, token, expiresIn, user } = result; // send token to server});
Radar.startTrackingVerified({ interval: 1200, beacons: false,});
// get a cached token if available, or fetch a fresh token if notRadar.getVerifiedLocationToken().then((result) => { const { token } = result; if (token?.passed) { // allow access, send token to server } else { // deny access, show error message }}).catch((err) => { // deny access, show error message});
// delivers fresh tokens to listenerRadar.on('token', (result) => { const { token } = result; // send token to server});
Radar.startTrackingVerified({ interval: 1200, beacons: false,});
// get a cached token if available, or fetch a fresh token if notRadar.getVerifiedLocationToken().then((result) => { const { token } = result; if (token?.passed) { // allow access, send token to server } else { // deny access, show error message }}).catch((err) => { // deny access, show error message});
// delivers fresh tokens to listenerRadar.addListener('token', (result) => { const { token } = result; // send token to server});
Radar.startTrackingVerified(1200, false)
// get a cached token if available, or fetch a fresh token if notvar res = await Radar.getVerifiedLocationToken();
// delivers fresh tokens to listenerRadar.onToken(onToken);
#
Failure reasonsIf passed == false
, responses include an array of more detailed failure reasons.
country_not_allowed
: The user's location is in a country that is not allowed based on jurisdiction settings.country_not_expected
: The user's location is in a country that is not expected based onRadar.setExpectedJurisdiction()
.country_in_buffer_zone
: The user's location is too close to the border of a country, either based on a jurisdiction-specific threshold or based on the location accuracy reported by the device (i.e., a "radius of uncertainty" that overlaps a country border).country_in_exclusion_zone
: The user's location is in a country-specific exclusion zone, if enabled.state_not_allowed
: The user's location is in a state or province that is not allowed according to jurisdiction settingsstate_not_expected
: The user's location is in a state or province that is not expected according toRadar.setExpectedJurisdiction()
.state_in_buffer_zone
: The user's location is too close to the border of a state or province, either based on a jurisdiction-specific threshold or based on the location accuracy reported by the device (i.e., a "radius of uncertainty" that overlaps a state or province border).state_in_exclusion_zone
: The user's location is in a state- or province-specific exclusion zone, if enabled.fraud_blocked_user_id
: TheuserId
of the user is blocked (all platforms).fraud_blocked_device_id
: ThedeviceId
of the user is blocked (all platforms).fraud_blocked_ip
: The IP of the user is blocked (all platforms).fraud_blocked_risk_score_auto_block
: The user or device was automatically blocked based on a high risk score (all platforms).fraud_compromised_jailbroken
: The user's iOS device is jailbroken (iOS only).fraud_compromised_app_attest
: The user's iOS device failed App Attest checks (iOS only).fraud_compromised_play_integrity_api
: The user's Android device failed Play Integrity API basic integrity checks (Android only).fraud_mocked_from_mock_provider
: The user's location is mocked or spoofed according to iOS, Android, macOS, or Windows location services (all platforms).fraud_mocked_known_spoofing_app
: The user's device is running a known location spoofing app (macOS and Windows only).fraud_mocked_inconsistent_ip_country
: The user's location is in a country inconsistent with the IP geolocation country (all platforms).fraud_jumped_exceeded_speed_threshold
: The user moved too far too fast (e.g., "jumped" across the country in a few seconds), either for a single device or across devices shared by a singleuserId
, indicating impossible travel (all platforms).fraud_inaccurate_exceeded_accuracy_threshold
: The user's location accuracy reported by the device is too low and exceeds a specified threshold (all platforms).fraud_sharing_known_screen_sharing_app
: The user's device is running a known screen sharing or remote desktop app (macOS and Windows only).fraud_sharing_multiple_displays
: The user's Android device has multiple displays, indicating possible screen sharing (Android only).fraud_sharing_virtual_input_device
: The user's Android device has a virtual input device, indicating possible screen sharing (Android only).fraud_sharing_suspicious_touches
: The user's Android device had suspicious touches, indicating possible screen sharing (Android only).fraud_proxy_known_proxy_ip
: The user's IP address is a known proxy or VPN (all platforms).fraud_proxy_network_configuration
: The user's network configuration indicates the use of a proxy or VPN (macOS and Windows only).
#
TroubleshootingTo troubleshoot a failed geolocation check, go to the Fraud page. Use the Filters button to filter down to specific user IDs, IP addresses, or jurisdictions, and use the date filters to filter down to specific dates or times.
Click on a specific geolocation check to see all the details, including a map view, failure reasons, detailed user, device, IP, and jurisdiction information, and more.
#
User and device risk scoresYou can use risk scores to identify high risk users and devices. Risk scores are based on a "strikes" system:
- No strikes = no risk
- 1 strike = low risk
- 2 strikes = medium risk
- 3 strikes = high risk
Users and device receive strikes for the following fraud signals within a lookback period, by default the last 7 days:
mocked
flag: 2 strikesjumped
,compromised
,sharing
, andproxy
flags: 1 strike- More than 5 user IDs per device ID: 1 strike
- More than 5 device IDs per user ID: 1 strike
When the risk score changes for a user or device, it also changes for all associated users and devices (i.e., all users associated with that device ID, or all device IDs associated with that user).
The fraud signals, number of strikes per fraud signal, and lookback period are configurable.
To receive real-time email alerts when users reach high risk, and to receive a weekly report with high risk users, set a Notification email under Fraud on the Settings page.
You can also automatically block high risk users.
#
Error handlingOn errors or failed fraud checks, you may want to display a message to the end user. For example:
- On
ERROR_PERMISSIONS
: Unable to determine your location. Please make sure you've granted location permissions and try again. - On
ERROR_LOCATION
: Unable to determine your location. Please make sure location services and wi-fi are enabled and try again. - On
ERROR_NETWORK
: Unable to determine your location. Please make sure you're connected to the Internet and try again. - On
country.allowed == false
orstate.allowed == false
: Unable to verify your location. Please make sure you're in an allowed area and try again. - On
fraud.proxy == true
: Unable to verify your location. Please disconnect from any VPNs or proxy servers you may be using and try again. - On other error cases, or as a fallback: Unable to verify your location. Please contact support.