Fraud System Detection - variables recognition

I am currently working on Fraud System Detection that will be used by one of the financial institutions. Those tools are related to ensuring user security.

Our goal is to identify features that can trigger an early warning system for attempted fraud. We have identified three uncertain variables:

  • Whether the user is having a conversation while using our app,
  • Whether the user has specific screen sharing apps on their phone,
  • Whether the user has enabled VPN connection.

Here my doubts appear:

  • Can we check the presence of a telephone conversation if we are not a VOIP application?
  • Can we check the presence of installed programs using Universal Link and canOpenUrl(_:) method?
  • Can we read "SCOPED" key from CFNetworkCopySystemProxySettings() dictionary?

I will be glad for any advice and help.

Fraud detection falls into many of the same pitfalls as DRM. Doing it well requires you to do a bunch of stuff that’s likely to cause binary compatibility problems down the line. In general, DTS doesn’t support such things, except for Apple provided systems.

Apropos that, Apple provides two APIs that are relevant to this:

  • Device Check

  • App Attest

To learn about those, see the Device Check framework docs.

Given the above, I have to be careful when answering questions like this. I’m only going to recommend things that I believe will work in the long term. If you search around on the ’net you will likely find other answers. It’s not uncommon for those answers to be based on implementation details, things that might change in the future and thus cause you compatibility problems.

Oh, one other thing. Lots of your questions are phrase as “can we”, leaving two possible interpretations:

  • Is there a supported way to do this?

  • Will that be approved by App Review?

My focus is on the first. I don’t work for App Review and can’t give you definitive answers about their policies.


So, with that in mind, let’s get back to your questions:

Written by Piotr-J in 774636021
Can we check the presence of a telephone conversation if we are not a VOIP application?

No. You might be able to make some progress on this front with Core Telephony but that framework was specifically design for VoIP apps and is not intended to be use for fraud detection.

Written by Piotr-J in 774636021
Can we check the presence of installed programs using Universal Link and canOpenUrl(_:) method?

Yes and no.

That API was designed to allow apps to improve their UI by disabling options that don’t make sense on specific devices. For example, it allowed apps to hide a Call This Person button on iPad. It was never intended to be used as a mechanism to survey the available apps on the system.

iOS does not, in general, have a mechanism for app A to tell whether app B is installed. There are some limited cases where canOpenUrl(_:) works for this, but that runs counter to the overall platform goals. As such, we’re applied increasing technical restrictions to it over time. If you use it for this, you may well run into further restrictions in the future.

Written by Piotr-J in 774636021
Can we read "SCOPED" key from CFNetworkCopySystemProxySettings() dictionary?

Well, yes, obviously. However, it sounds like you’re trying to infer the presence of a VPN from that property, which is not valid. It yields both false positives and false negatives. That is:

  • Not all VPNs set that property.

  • Some non-VPNs set that property.

There isn’t a good way to check for the presence of a VPN, partly because there isn’t a good definition of a VPN. For example, is iCloud Private Relay a VPN? Well, it depends on your point of view. And the answer might change when you look at third-party relays.

You can check the interface type used for a specific outgoing network connection. I have lots of backstory to that in the various posts hung off Extra-ordinary Networking. However, I very much doubt you’ll be able to build a reliable fraud detection mechanism based on that.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Fraud System Detection - variables recognition
 
 
Q