[chromium-discuss] [Chrome for Android] Fraud Detection through impossible OS-/Chrome-Version combinations?

Discussion:

Frank Maschmeier

2018-08-21 11:35:48 UTC

Dear experts,

while filtering fraudulent mobile traffic we make use of abnormalities in
the User Agent (UA) since fraudsters tend to fake such UAs.

So far a few impossible and also very uncommon combinations of
Android-OS-Versions vs. Chrome-Versions were found. For the uncommon ones
the bullet proof evidence for fraud is missing. Such evidence might be
given by answers to following questions which I was unable to answer after
extensive web search:

1) Does Android OS Version X (when pre-installed on device - not via
update) comes with or forces a specific/minimum Chrome Version a) in
Webview-Apk b) with standalone Chrome-App or does both need to be updated
through Play Store and therefore can "stay old" once "Automatic Update" is
disabled?
Known facts:
i) Chrome 30.0.0.0 is only valid with Android 4.4 to 4.4.2 (and stands for
Webview).
ii) Chrome 33.0.0.0 is only valid with Android 4.4.3 (and stands for
Webview).
iii) From Android OS Version 5 (Lollipop) Chrome User Agents can stand for
the separate Webview-APK (includes "wv" in UA) or the standalone Chrome-APK
whereas both share identical version numbers.
iv) From Android Version 8, if standalone Chrome-App is installed, the
Webview-APK will be disabled and the Webview uses the source code of
Chrome-APK instead.
v) When looking at traffic from Android 8+, statistical relevance starts
with Chrome Version 56. Still older version show up in small numbers, but
might be coming from fraudulent sources.

Ideal outcome (just as an example):
...
Android 8.0 - Webview -> Minimum Chrome Version xx.x.xxxx
Android 8.0 - Standalone -> no minimum Chrome Version
Android 8.1 - Webview -> Minimum Chrome Version xx.x.xxxx
Android 8.1 - Standalone -> no minimum Chrome Version
...

2) Does an Android OS Update also update or forces the Update of a) the
Webview-APK b) Chrome-Browser-APK?
I expect that 2b) is rather not included in Android-Update.

3) Does certain Chrome-Browser-APK-Versions require a minimum Android OS
Version requirement?
For Webview APK Google Play store says Minimum 5.0
For Chrome APK it says "depends on device" -> if so, is there a list of
device -> minimum-OS-Version available somewhere?

Thank you for your help & best regards,

Frank

--
--
Chromium Discussion mailing list: chromium-***@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss

---
You received this message because you are subscribed to the Google Groups "Chromium-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discuss+***@chromium.org.

Torne (Richard Coles)

2018-08-22 15:10:22 UTC

Permalink

Post by Frank Maschmeier
1) Does Android OS Version X (when pre-installed on device - not via
update) comes with or forces a specific/minimum Chrome Version a) in
Webview-Apk

Yes; each OS version has a minimum WebView version that is required for the
OS to function correctly, but devices ship with a newer webview version
than the minimum preinstalled in many cases. We don't have an easily
accessible list anywhere of what these minimum versions are.

Post by Frank Maschmeier
b) with standalone Chrome-App

Chrome doesn't have the same compatibility concerns - generally the chrome
and webview versions preinstalled will be the same, but this isn't
guaranteed.

Post by Frank Maschmeier
iv) From Android Version 8, if standalone Chrome-App is installed, the
Webview-APK will be disabled and the Webview uses the source code of
Chrome-APK instead.

This is incorrect; the ability to use Chrome as the WebView implementation
was introduced in Android 7 (Nougat).

v) When looking at traffic from Android 8+, statistical relevance starts

Post by Frank Maschmeier
with Chrome Version 56. Still older version show up in small numbers, but
might be coming from fraudulent sources.
...
Android 8.0 - Webview -> Minimum Chrome Version xx.x.xxxx
Android 8.0 - Standalone -> no minimum Chrome Version
Android 8.1 - Webview -> Minimum Chrome Version xx.x.xxxx
Android 8.1 - Standalone -> no minimum Chrome Version
...

This is also incorrect. There is no way for you to tell the difference,
server side, between the different WebView implementations: whether it's
provided by the WebView APK or the Chrome APK, the useragent and all other
behaviour are identical (and if they are not, that would be a bug in the
WebView implementation).

WebView always requires a certain minimum version based on the OS version,
regardless of which APK is providing it, but as I said, we don't really
have a list of these anywhere.

Post by Frank Maschmeier
2) Does an Android OS Update also update or forces the Update of a) the
Webview-APK b) Chrome-Browser-APK?

After an Android OS update the user will always be left with a webview
implementation that is no older than the one preinstalled in the OS, but
this isn't guaranteed to be either APK in particular (the systems that make
sure this works are quite complex).

Since Chrome comes in multiple side-by-side installable channels (stable,
beta, dev, canary), it's possible for users to have another channel of
Chrome installed which is *older* than the stable version that is
preinstalled in their OS - nothing prevents an Android 8.1 device from
having a very old version of chrome also installed in another channel, and
you cannot tell which channel the user is using from the serverside (it's
not included in the useragent).

Post by Frank Maschmeier
I expect that 2b) is rather not included in Android-Update.

Both WebView and Chrome APKs are often included in Android OS updates, but
the version in the OS update is not guaranteed to be newer than the version
that the user already has updated from the Play Store, so the existing play
store updated version will continue to be used if it's newer.

Post by Frank Maschmeier
3) Does certain Chrome-Browser-APK-Versions require a minimum Android OS
Version requirement?
For Webview APK Google Play store says Minimum 5.0
For Chrome APK it says "depends on device" -> if so, is there a list of
device -> minimum-OS-Version available somewhere?

It doesn't depend on the device. There is a different copy of the Chrome
APK depending on which android OS version the device has, but these copies
of Chrome are all the same version and will have the saem useragent and
identical behaviour - they are just packaged differently to be most
efficient for the different OS versions' requirements. There is a current
version of Chrome for all Android versions 4.1 and up; Android 4.0 used to
be supported but is no longer updated (the last version for 4.0 was Chrome
42).

Hopefully this makes things somewhat clear: in general you can't make very
many assumptions about what combinations are valid because most
combinations are ok.
Also, many devices which do not include the Google Play Store, or which
have custom ROMs installed, may have very unusual but valid configurations,
because these device images aren't necessarily following any of the
distribution rules for the Google apps.

Frank Maschmeier

2018-08-23 14:17:24 UTC

Permalink

Thank you so much for taking the time giving such a detailed answer. It
definitely helps.
A 6-digit subset of app install click data provided from a fraud detection
company shows 15% of app installs on Android 8.x with Chrome Version 18.
With your info I consider at least this as proven fraud.
For the non-webview browsers I guess I will then continue with the approach
on looking at the variation in comparison to to the expected Chrome Version
distribution.

It's a pitty that there isn't such *list of minimum Chrome-Version per
Android-OS-Version/-Update* (for webview). *If somebody has an idea how to
obtain *(e.g. from extracting source-code or else)*, please let me know.*
Else, I guess I will just buy a few old phones and test it myself.

Again, thanks a lot.

Torne (Richard Coles)

2018-08-23 15:04:09 UTC

Permalink

Post by Frank Maschmeier
Thank you so much for taking the time giving such a detailed answer. It
definitely helps.
A 6-digit subset of app install click data provided from a fraud detection
company shows 15% of app installs on Android 8.x with Chrome Version 18.
With your info I consider at least this as proven fraud.

There are other browsers based on chromium that may not be updated on the
same schedules - most of these identify themselves by adding additional
information to the user agent, but they might not all do so. Some of these
browsers are quite outdated, though 18 is a loooong time ago and does seem
quite unlikely.

For the non-webview browsers I guess I will then continue with the approach

Post by Frank Maschmeier
on looking at the variation in comparison to to the expected Chrome Version
distribution.
It's a pitty that there isn't such *list of minimum Chrome-Version per
Android-OS-Version/-Update* (for webview). *If somebody has an idea how
to obtain *(e.g. from extracting source-code or else)*, please let me
know.* Else, I guess I will just buy a few old phones and test it myself.

As I said you can't tell this information by looking at phones, because
devices typically ship with the latest version of chrome and webview that
was available at the time that that device's ROM image was built, so
different phones on the exact same Android version might come with totally
different preinstalled versions. You'd want to check the AOSP sources to
see which version was included in the original, non-updated version of each
major OS update (API level), as that is the actual minimum that is
supported.

Post by Frank Maschmeier
Again, thanks a lot.
--
--
http://groups.google.com/a/chromium.org/group/chromium-discuss