Fraud
Fraud detects GPS spoofing, proxy and VPN usage, and device tampering.
With Regions, you can also detect a user's country and state and mark specific regions as allowed or denied to comply with regulations.
Together, Fraud and Regions provide the following user context:
{ "fraud": { "passed": false, "bypassed": false, "verified": true, "mocked": true, "jumped": false, "compromised": false, "proxy": false, "sharing": false }, "country": { "code": "US", "name": "United States", "flag": "🇺🇸", "allowed": true }, "state": { "code": "MD", "name": "Maryland", "allowed": false }}
#
How it worksYou can call Radar.trackOnce()
to accurately detect a user's current geofences, current place, or current country and state.
However, users can spoof a device's location. For example, a gambling app user may spoof their location to access sports betting features only available in specific states. Or, a retail app user may spoof their location to access offers only available inside a store geofence.
To ensure you can trust a user's location, you can call Radar.trackVerified()
instead. Radar will collect a variety of fraud signals and perform fraud checks, exposing flags that you can use for fraud detection and location verification in your app.
#
Fraud flagsIf you call Radar.trackVerified()
, Radar exposes the following flags in user.fraud
:
mocked
: Indicates whether a user's location is being mocked, such as in a simulator or using a location spoofing app (e.g., Fake GPS location).compromised
: Indicates whether the user's device or app has been compromised according to the Play Integrity API on Android.jumped
: Indicates whether the user moved too far too fast (e.g., "jumped" across the country in only a few seconds).sharing
: Indicates whether the user is screen sharing (e.g., using TeamViewer).proxy
: Indicates whether the user's IP address is a known proxy, VPN, Tor exit node, etc.verified
: Indicates whether the request was made with SSL pinning configured successfully.
While you can work with individual flags, Radar also exposes a single user.fraud.passed
flag that indicates whether all fraud checks passed.
#
Bypassing checks for testingIf desired, you can bypass fraud checks for individual users using the Mark as Bypassed button on the user detail page.
If a user is marked as bypassed, user.fraud.bypassed = true
and user.fraud.passed = true
, regardless of whether the user passes fraud checks.
#
Blocking usersYou can also manually block a user using the Mark as Blocked button on the user detail page.
If a user is blocked, user.fraud.blocked = true
and user.fraud.passed = false
, regardless of whether the user passes fraud checks.
#
Allowed states and countriesWith Regions, you can mark specific states and countries as allowed or denied to comply with regulations. For example, a gambling app may only be allowed to operate in specific states.
If you call Radar.trackVerified()
, Radar exposes your settings in user.country.allowed
and user.state.allowed
.
#
Configuring SSL pinningTo prevent man-in-the-middle attacks, you should configure SSL pinning before calling Radar.trackVerified()
.
On iOS, add the following to your Info.plist
file:
<key>NSAppTransportSecurity</key><dict> <key>NSAllowsArbitraryLoads</key> <false/> <key>NSPinnedDomains</key> <dict> <key>api-verified.radar.io</key> <dict> <key>NSIncludesSubdomains</key> <true/> <key>NSPinnedLeafIdentities</key> <array> <dict> <key>SPKI-SHA256-BASE64</key> <string>15ktYXSSU2llpy7YyCgeqUKDBkjcimK/weUcec960sI=</string> </dict> <dict> <key>SPKI-SHA256-BASE64</key> <string>15ktYXSSU2llpy7YyCgeqUKDBkjcimK/weUcec960sI=</string> </dict> </array> </dict> </dict></dict>
Learn more about SSL pinning on iOS.
On Android, add a res/xml/network_security_config.xml
file:
<?xml version="1.0" encoding="utf-8"?><network-security-config> <domain-config cleartextTrafficPermitted="false"> <domain includeSubdomains="true">api-verified.radar.io</domain> <pin-set> <pin digest="SHA-256">15ktYXSSU2llpy7YyCgeqUKDBkjcimK/weUcec960sI=</pin> <pin digest="SHA-256">15ktYXSSU2llpy7YyCgeqUKDBkjcimK/weUcec960sI=</pin> </pin-set> </domain-config></network-security-config>
Learn more about Network Security Configuration on Android.
#
Verifying user locationsClient-side, you can verify a user's location with just a few lines of code:
- Swift
- Kotlin
Radar.trackVerified { (status, location, events, user) in if user?.fraud?.passed == true && user?.country?.allowed == true && user?.state?.allowed == true { // allow access to feature } else { // deny access to feature }}
Radar.trackVerified { status, location, events, user -> if (user?.fraud?.passed == true && user.country?.allowed == true && user.state?.allowed == true) { // allow access to feature } else { // deny access to feature }}
Fraud is not yet supported with Radar.startTracking()
.
Server-side, you can also get a user and check fraud flags server-side for an additional layer of verification:
curl "https://api.radar.io/v1/users/56db1f4613012711002229f4" \ -H "Authorization: prj_live_sk_..."