Skip to main content

Fraud

Fraud detects GPS spoofing, proxy and VPN usage, and device tampering.

With Regions, you can also detect a user's country and state and mark specific regions as allowed or denied to comply with regulations.

Together, Fraud and Regions provide the following user context:

{  "fraud": {    "passed": false,    "bypassed": false,    "verified": true,    "mocked": true,    "jumped": false,    "compromised": false,    "proxy": false,    "sharing": false  },  "country": {    "code": "US",    "name": "United States",    "flag": "🇺🇸",    "allowed": true  },  "state": {    "code": "MD",    "name": "Maryland",    "allowed": false  }}

How it works#

You can call Radar.trackOnce() to accurately detect a user's current geofences, current place, or current country and state.

However, users can spoof a device's location. For example, a gambling app user may spoof their location to access sports betting features only available in specific states. Or, a retail app user may spoof their location to access offers only available inside a store geofence.

To ensure you can trust a user's location, you can call Radar.trackVerified() instead. Radar will collect a variety of fraud signals and perform fraud checks, exposing flags that you can use for fraud detection and location verification in your app.

Fraud flags#

If you call Radar.trackVerified(), Radar exposes the following flags in user.fraud:

  • mocked: Indicates whether a user's location is being mocked, such as in a simulator or using a location spoofing app (e.g., Fake GPS location).
  • compromised: Indicates whether the user's device or app has been compromised according to the Play Integrity API on Android.
  • jumped: Indicates whether the user moved too far too fast (e.g., "jumped" across the country in only a few seconds).
  • sharing: Indicates whether the user is screen sharing (e.g., using TeamViewer).
  • proxy: Indicates whether the user's IP address is a known proxy, VPN, Tor exit node, etc.
  • verified: Indicates whether the request was made with SSL pinning configured successfully.

While you can work with individual flags, Radar also exposes a single user.fraud.passed flag that indicates whether all fraud checks passed.

Bypassing checks for testing#

If desired, you can bypass fraud checks for individual users using the Mark as Bypassed button on the user detail page.

If a user is marked as bypassed, user.fraud.bypassed = true and user.fraud.passed = true, regardless of whether the user passes fraud checks.

Blocking users#

You can also manually block a user using the Mark as Blocked button on the user detail page.

If a user is blocked, user.fraud.blocked = true and user.fraud.passed = false, regardless of whether the user passes fraud checks.

Allowed states and countries#

With Regions, you can mark specific states and countries as allowed or denied to comply with regulations. For example, a gambling app may only be allowed to operate in specific states.

If you call Radar.trackVerified(), Radar exposes your settings in user.country.allowed and user.state.allowed.

Configuring SSL pinning#

To prevent man-in-the-middle attacks, you should configure SSL pinning before calling Radar.trackVerified().

On iOS, add the following to your Info.plist file:

<key>NSAppTransportSecurity</key><dict>    <key>NSAllowsArbitraryLoads</key>    <false/>    <key>NSPinnedDomains</key>    <dict>        <key>api-verified.radar.io</key>        <dict>            <key>NSIncludesSubdomains</key>            <true/>            <key>NSPinnedLeafIdentities</key>            <array>                <dict>                    <key>SPKI-SHA256-BASE64</key>                    <string>15ktYXSSU2llpy7YyCgeqUKDBkjcimK/weUcec960sI=</string>                </dict>                <dict>                    <key>SPKI-SHA256-BASE64</key>                    <string>15ktYXSSU2llpy7YyCgeqUKDBkjcimK/weUcec960sI=</string>                </dict>            </array>        </dict>    </dict></dict>

Learn more about SSL pinning on iOS.

On Android, add a res/xml/network_security_config.xml file:

<?xml version="1.0" encoding="utf-8"?><network-security-config>    <domain-config cleartextTrafficPermitted="false">        <domain includeSubdomains="true">api-verified.radar.io</domain>        <pin-set>            <pin digest="SHA-256">15ktYXSSU2llpy7YyCgeqUKDBkjcimK/weUcec960sI=</pin>            <pin digest="SHA-256">15ktYXSSU2llpy7YyCgeqUKDBkjcimK/weUcec960sI=</pin>        </pin-set>    </domain-config></network-security-config>

Learn more about Network Security Configuration on Android.

Verifying user locations#

Client-side, you can verify a user's location with just a few lines of code:

Radar.trackVerified { (status, location, events, user) in  if user?.fraud?.passed == true &&    user?.country?.allowed == true &&    user?.state?.allowed == true {    // allow access to feature  } else {    // deny access to feature  }}

Fraud is not yet supported with Radar.startTracking().

Server-side, you can also get a user and check fraud flags server-side for an additional layer of verification:

curl "https://api.radar.io/v1/users/56db1f4613012711002229f4" \  -H "Authorization: prj_live_sk_..."