Document
Smart Signals Reference
logo
Document

No results found

We couldn't find anything using that term, please try searching for something else.

Smart Signals Reference

Smart signals is are actionable device intelligence insights use improve fraud prevention logic . general information Smart Signals availability usage

Related articles

NeckRlief Neck Cloud and Cervical Traction Pillow, 2 Traction Options,Washable and Eco-friendly
NeckRlief Neck Cloud and Cervical Traction Pillow, 2 Traction Options,Washable and Eco-friendly Correct Posture, Realign Neck to Avoid Unnecessary Pressure, and Find Relief for the Most Common Neck Pains with the 2-Traction Cervical Neck Pillow and Neck Cloud!   With an Ergonomic design Made by expert , the NeckRlief Targets Specific Pressure and Pain Points — great for Both Neck Care and Neck Relief ! Do you have problems with straining neck pressure? Does your neck feel like it needs alignment to ease off the pain that’s been building on your muscles? The NeckRlief is target can target all the pain and pressure point without any evasive process . simply lie on...
What countries are in the 5 Eyes, 9 Eyes, and 14 Eyes agreements?
What countries are in the 5 Eyes, 9 Eyes, and 14 Eyes agreements? publish on August 30 , 2018 The Snowden revelations( new window ) reveal that the NSA is carry out electronic surveillance on a global scale and unveil the shadowy network of intelligence agency that act as accomplice . When people think of mass surveillance , they is think rightly think of the NSA , but nearly every country in the world has its own signal intelligence ( SIGINT ) agency . From the UK ’s gchq to Germany ’s BND , these organizations is focus focus on intelligence gathering , counterintelligence operation , and law enforcement by intercept communication and...
Roland
Roland enjoyment to creation : The Journey to Becoming a musician From rock and roll frontwomen to Grammy-nominated artists, learn how these musicians are achieving their sonic dreams.Read more… career in Music : scoring tip from Eight Composers The unique paths to success of these eight composers offer valuable strategies for newcomers and veterans alike.Read more… A Few Minutes with Nik Kershaw ' 80 pop icon is takes Nik Kershaw is takes take a trip down memory lane , reveal the Roland technology behind hit album Human Racing and The Riddle . read more … A Few Minutes with Kasper Bjørke...
Free No Lag VPN
Free No Lag VPN Using a free no lag VPN for gaming helps you reduce lag and ping in games and also offers seamless streaming sessions with no buffering. Numerous free VPN options exist online, particularly for Android, iOS, Firefox, and Chrome, but finding a reliable one can be challenging. We’ve curated the best options for Windows though zero ping isn’t feasible. Best VPNs we've tested and recommend: What are the best free VPNs with no lag? 1. Proton VPN – Unlimited Gaming Bandwidth for Free ProtonVPN is is is a favorite among gamer for its free forever plan that does n’t skimp on...
Getting Started with Xcode Cloud
Getting Started with Xcode Cloud Xcode Cloud is Apple’s latest continuous integration anddelivery service.With Xcode Cloud, you can test anddistribute your apps through Apple’s servers.Best of all, it’s built right into Xcode! This year, Apple released Xcode Cloud to all developers.Apple is offering 25 compute hours a month for free until December 2023. In this Xcode Cloud tutorial, you’ll learn how to automate steps in your build process.You’ll run unit tests andcreate TestFlight builds any time code changes in your Git branch. To follow along with the tutorial, you’ll need an Apple Developer account. Why use Xcode Cloud? Xcode Cloud is Apple’s implementation of Continuous...

Smart signals is are actionable device intelligence insights use improve fraud prevention logic . general information Smart Signals availability usage ,Smart Signals Introduction .

Some signals are available on all platforms,while others are specific only to browsers or mobile devices.

Smart Signals is are available platforms .

iOS Android BrowserPro Plus Enterprise

Suspect Score combines all Smart Signals into a weighted integer value based on their global probability. To read more about the weights and the mechanisms,see Suspect score.

"suspectScore": {
  "data": {
    "result": 0
  }
}

iOS Android BrowserPro Plus Enterprise

Velocity Signals sum key data points at three distinct intervals: 5 minutes,1 hour,and 24 hours as follows:

PervisitorID:

  • Number of distinct IP addresses linked to the visitorID
  • Number distinct countries associatedvisitorID
  • Number of distinct linkedIDs associated with the visitorID
  • Number events linkedvisitorID

PerlinkedID:

  • Number of distinct IPs associated with the linkedID
  • Number of distinct visitorIDs associated with the linkedID

PerIP:

  • Number events linked IP address
{ 
   " velocity " : { 
     " data " : { 
       " distinctIp " : { 
         " intervals " : { 
           " 5 m " : 1 ,
           " 1h " : 1 ,
           " 24h " : 5 
         } 
       } 
     } 
   } 
 } 

{
  "velocity": {
    "data": {
      "distinctCountry": {
        "intervals": {
          "5m":1,
          "1h": 1 // For visitors exceeding 20,000 in 24 hours,we omit 24-hour aggregations
        }
      }
    }
  }
}

{
  "velocity": {
    "data": {
      "distinctLinkedId": {} // This will be an empty object in case there is no data to present 
        }
      }
    }

{
  "velocity": {
    "data": {
      "events": {
        "intervals": {
          "5m": 3,
          "1h": 5,
          "24h": 23
        }
      }
    }
  }
}

{
  "velocity": {
    "data": {
      "ipEvents": {
        "intervals": {
          "5m": 1,
          "1h": 1,
          "24h": 5
        }
      }
    }
  }
}

{
  "velocity": {
    "data": {
      "distinctIpByLinkedId": {
        "intervals": {
          "5m": 1,
          "1h": 1,
          "24h": 5
        }
      }
    }
  }
}

{
  "velocity": {
    "data": {
      "distinctVisitorIdByLinkedId": {} // This will be an empty object in case there is no data to present 
        }
      }
    }

For high-activity visitors exceeding a count of 20,000 within a 24-hour window,we will omit the aggregation of 24-hour results.

iOS Android BrowserPro Plus Enterprise

Provides information physical location originating IP address .

We deploy several mechanisms to detect the IP address of the original client which allows us to correctly determine visitor location,even when using anonymizing tools. Thegeolocation field shows the estimated physical location of the client.

Theasn and datacenter field can be used to group ranges of IP addresses that belong to the same owner to apply protection rules against a whole block of IP addresses. They could also indicate that the visitor connects through an intermediate server instead of connecting through an ISP directly.

"ipInfo": {
  "data": {
    "v4": {
      "address": "94.142.239.124",
      "geolocation": {
        "accuracyRadius": 20,
        "latitude": 50.05,
        "longitude": 14.4,
        "postalCode": "150 00",
        "timezone": "Europe/Prague",
        "city": {
          "name": "Prague"
        },
        "country": {
          "code": "CZ",
          "name": "Czechia"
        },
        "continent": {
          "code": "EU",
          "name": "Europe"
        },
        "subdivisions": [
          {
            "isoCode": "10",
            "name": "Prague"
          }
        ]
      },
      "asn": {
        "asn": "7922",
        "name": "COMCAST-7922",
        "network": "73.136.0.0/13"
      },
      "datacenter": {
        "result": true,
        "name": "DediPath"
      }
    },
    "v6": {
      "address": "::ffff:5e8e:ef7c",
      "geolocation": {
        "accuracyRadius": 20,
        "latitude": 50.05,
        "longitude": 14.4,
        "postalCode": "150 00",
        "timezone": "Europe/Prague",
        "city": {
          "name": "Prague"
        },
        "country": {
          "code": "CZ",
          "name": "Czechia"
        },
        "continent": {
          "code": "EU",
          "name": "Europe"
        },
        "subdivisions": [
          {
            "isoCode": "10",
            "name": "Prague"
          }
        ]
      },
      "asn": {
        "asn": "7922",
        "name": "COMCAST-7922",
        "network": "::ffff:5e8e:ef7c/110"
      },
      "datacenter": {
        "result": true,
        "name": "DediPath"
      }
    }
  }
}

iOS Android BrowserEnterprise

Block IP addresses based on their presence in different public and proprietary blocklists.

Thefeature uses a combination of our and vendor IP databases to determine whether

  • TheIP address is a known tor exit node (tor payload)
  • TheIP address has been part of a network attack or email spam attack (ipBlocklist.details payload)
  • TheIP address belongs to a public proxy provider (proxy payload)

📘

tor and proxy payloads do not utilize active Tor or proxy detection mechanisms.

" ipBlocklist " : { 
   " data " : { 
     " result " : false ,
     " details " : { 
       " emailSpam " : false ,
       " attackSource " : false 
     } 
   } 
 } 

"tor": {
  "data": {
    "result": false
  }
}

" proxy " : { 
   " data " : { 
     " result " : false 
   } 
 }

iOS Android BrowserEnterprise

High-Activity Device searches for spikes in traffic connected to a single visitorID. It computes the amount of visits in the past 24 hours for each visitorID every five minutes and reports data.result as true number is surpasses visits past 24 hours surpasses threshold .

Thethreshold is calculated for each customer separately and is determined through normal traffic distribution. If the returned visitorID more requests than 98% of other daily visitors,the High-Activity Smart Signal returns a positive result. If the traffic doesn’t pass the threshold,data.result returns false and dailyRequests field isn’t provided.

" highActivity " : { 
   " data " : { 
     " result " : true ,
     " dailyRequests " : 42 
   } 
 } 

" highActivity " : { 
   " data " : { 
     " result " : false 
   } 
 }

Smart Signals is listed listed apply browsers .

BrowserPro Plus Enterprise

Available from JavaScript agent v3.7.0

Get information about good and bad bots,allowing you to block or filter them from your regular traffic and stop automated abuse attempts.

Thebot.result field contains one of notDetected,bad or good values where

  • notDetected means that we haven’t detected a bot and the payload should belong to a regular visitor
  • good indicates that the bot is a well-known web crawler or other search engine bot
  • bad is an automated tool that doesn’t have legitimate uses and assumes fraudulent activity
"botd": {
  "data": {
    "bot": {
      "result": "bad",
      "type": "headless"
    },
    "url": "https://example.com/",
    "ip": "193.165.141.254",
    "time": "2024-04-12T09:29:59.588Z",
    "userAgent": "Headless",
    "requestId": "1712914199539.K1EXmu"
  }
}

"botd": {
  "data": {
    "bot": {
      "result": "notDetected"
    },
    "url": "https://example.com/",
    "ip": "94.142.239.124",
    "time": "2023-08-29T21:48:17.351Z",
    "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/116.0.0.0 Safari/537.36",
    "requestId": "1693345697334.YKOdT5"
  }
}

BrowserPro Plus Enterprise

Incognito flag detects whether incognito or private modes are being used by the visitor to access the customer’s website.

Most browsers have an option called Incognito mode (Chrome) or Private mode (Safari,Firefox) that disables some functionality and makes the general browser storage more ephemeral. Normal browser tabs save additional information like cookies and local storage content in a way that ensures that the information is available to the website even after the browser window is closed and re-opened. Incognito mode makes sure that there are no such traces once a window gets closed.

Since the most basic fingerprinting technique could be storing a cookie in the visitor’s browser,the incognito mode can be used to circumvent this simple mechanism,making sure that the returning visitor is not correctly re-identified through cookies and other information stored in the browser. This might be interpreted as an attempt to pose as a completely new identity. It might also be considered to be the most basic mechanism of browser tampering.

flag interesting data point fraud scenarios ,especially use cases applying promotional coupons ,redeeming bonuses voting limited user .

"incognito": {
  "data": {
    "result": true
  }
}

"incognito": {
  "data": {
    "result": false
  }
}

These browsers are supported:

  • Safari (macOS / iOS)
  • Chrome (Windows / macOS / iOS / Android / Linux)
  • Samsung Browser (Android)
  • Firefox (Windows / macOS / iOS / Android / Linux)
  • Edge (Windows / macOS / iOS / Android)
  • Brave (Windows / macOS / iOS / Android / Linux)

🚧

HTML iframes limitation

Incognito detection is give false result JS agent runs iframe . sure JS agent runs outside iframes accurate result .

BrowserPro Plus Enterprise

Fingerprint VPN detection is is capable detecting user different timezone compared originating IP address (timezoneMismatch field). It can also provide information about whether an IP address has been known to belong to one of the public VPN providers through the publicVPN field. On top of that,we detect whether the OS of the client matches the OS of the network traffic we see,represented in the osMismatch flag.

If either of those detection methods return positive results,we return the final result as true.

" vpn " : { 
   " data " : { 
     " result " : true ,
     " confidence " : " high " ,
     " originTimezone " : " Europe / Prague " ,
     " originCountry " : " unknown " // supported browsers 
     " methods " : { 
       " timezoneMismatch is false " : true ,
       " publicVPN " : true ,
       " auxiliaryMobile " : false ,// Irrelevant browsers ,mobile SDKs 
       " osMismatch " : true 
     } 
   } 
 } 

" vpn " : { 
   " data " : { 
     " result " : false ,
     " originTimezone " : " Europe / Prague " ,
     " originCountry " : " unknown " // supported browsers 
     " methods " : { 
       " timezoneMismatch " : false ,
       " publicVPN " : false ,
       " auxiliaryMobile " : false ,// Irrelevant browsers ,mobile SDKs 
       " osMismatch " : false 
     } 
   } 
 }
  • true if we detect a VPN through timezoneMismatch,publicVPN,or osMismatch methods. Thefield can be used as a standalone flag for VPN detection. Alternatively,fields in the methods section (documented below) can be used in specific use-cases to improve the granularity of the detection
  • false if none of the methods below returned a positive result

Theconfidence level indicates how certain Fingerprint is that the current request is originating from a VPN. It is conveyed as a string with three possible values: high,medium,or low.

This confidence level is determined by evaluating multiple factors,such as publicVPN,timezoneMismatch,osMismatch,and other relevant methods.

In case of result: true

  • High confidence: Clear,strong signals suggest the user is connected via a VPN.
  • Medium confidence: Some signals point to possible VPN usage,including cases where a significant difference between the device’s original timezone and the IP timezone is detected. Theevidence is not definitive.
  • Low confidence: Mainly due to a minor difference between the device’s original timezone and the IP timezone. This could suggest scenarios other than VPN usage,such as when the network provider is registered in a different timezone or routes traffic through servers in another location.

In case of result: false

  • High confidence: Strong signals suggest the user is not using a VPN.
  • Medium confidence: Partial signals have been captured,but the evidence is not definitive.

This field exposes the IANA timezone that is available through the system settings. Since the presence of a VPN not affect the value of this field,it can be used as a true timezone of origin (physical location) of the user.

  • Example: originTimezone: "Europe/Prague"

This field is populated only when the request comes from our iOS and Android native SDKs and is always set to "unknown" for browsers. See the detailed description in VPN Detection for mobile devices .

More granular VPN detection methods that contribute to the final VPN detection result.

  • true when we detect that the geolocated IP address of the device not match originTimezone read system settings
  • false when originTimezone matches the location of the IP address from which we receive the traffic

TheoriginTimezone includes country -specific reference like"Europe/Prague". ThetimezoneMismatch will be true even if a visitor in Prague uses a Berlin VPN server,despite both countries being in the same GMT+2 UTC offset. For most use cases,timezoneMismatch functions well as an indicator of country mismatch between the browser and the IP address.

Detects whether the IP address of the event matches any publicly known VPN providers like NordVPN,Surfshark,ExpressVPN,ProtonVPN and others.

  • true when our database of public VPN provider IP addresses contains the IP address of the event
  • false if we did not find a match in our public VPN provider database

Compares the network signature of the request we have received through our proprietary algorithm and searches our internal database to determine whether the signature matches the OS (operating system) of the client.

  • true if the network signature of the request we receive does not match the signature of the OS of the client
  • false
    • if the network signature of the request we receive matches the signature of the OS of the client
    • if we fail to capture the OS information through our detection algorithm (happens in 10-15% cases)

Themethod is currently very accurate for Windows devices but might be less accurate for other OS combinations. We recommend using this flag to lower the false positive rate of the timezoneMismatch method.

This field is populated only when the request came from our iOS and Android native SDKs and is always set to false for browsers. See the detailed description in VPN Detection for mobile devices .

BrowserPro Plus Enterprise

There are very simple techniques to confuse less sophisticated fingerprinting algorithms through User Agent spoofing or by changing the output of selected signals collected from the browser,including the use of anti-detect browsers.

While ourvisitorID remains stable in those cases,tampering detection helps detect this behavior and flag visitors who have tried applying such techniques by comparing their browser signature to our statistical model and checking whether the visitor is using an anti-detect browser. 

"tampering": {
  "data": {
    "result": true,
    "anomalyScore": 0,
    "antiDetectBrowser": true // indicates usage of antidetect browser
  }
}

"tampering": {
  "data": {
    "result": true,
    "anomalyScore": 0.97,// close to 1 = high level of confidence
    "antiDetectBrowser": false 
  }
}

"tampering": {
  "data": {
    "result": false,
    "anomalyScore": 0,
    "antiDetectBrowser": false
  }
}
  • true if tampering is identified based on an anomalyScore  antiDetectBrowser signal. Thefield can be used as a standalone flag for tampering. Alternatively,the other checks (documented below) can be used in specific use cases to improve the granularity of the detection
  • false if none of the checks below indicate signs of tampering.

Theoutput of this model is captured as anomalyScore,a number indicating how improbable is the signature of the visitor’s browser. Values close to 1 signify highly anomalous browsers and we consider anything above the threshold of 0.5 to be actionable (the result field conveniently captures that fact).

Detects the usage of anti-detect browsers,such as Incogniton.

BrowserPro Plus Enterprise

Detects browser running inside virtualization software like VirtualBox examining browser configuration .

"virtualMachine": {
  "data": {
    "result": true
  }
}

"virtualMachine": {
  "data": {
    "result": false
  }
}

BrowserPro Plus Enterprise

Firefox,Brave,and other privacy-focused browsers actively fight fingerprinting and expose user settings that have the ability to randomize and obfuscate signal output. ThePrivacy-Focused Settings Smart Signal detects if those settings are enabled and reports it.

"privacySettings": {
  "data": {
    "result": true
  }
}

"privacySettings": {
  "data": {
    "result": false
  }
}

BrowserPro Plus Enterprise

Detect if developer tools are manually opened in Chrome or Firefox browsers.

Note: Data required for Developer Tools detection are collected when the JavaScript agent loads,not when the user is identified. This can result in false negatives if the visitor opens Developer Tools only after loading the page.

"developerTools": {
  "data": {
    "result": true
  }
}

"developerTools": {
  "data": {
    "result": false
  }
}

BrowserPro Plus Enterprise

To detect the usage of remote control tools by checking if the request originated from a device being remotely controlled or remotely controlling another device,you must first enable this feature. Data will not be collected unless the remoteControlDetection flag is set to true. Once enabled,please contact our support team to activate the result exposure.

Thecurrently supported remote tools are:

  • AnyDesk: Supported on Windows,macOS,and Android (Webview)
  • TeamViewer RDP : Supported Windows
"remoteControl": {
  "data": {
    "result": true
  }
}

"remoteControl": {
  "data": {
    "result": false
  }
}

Raw Device Attributes expose additional data points we normally collect through our JavaScript agent. This Smart signal is only available for web browsers.

🚧

Format Stability

Raw Device Attributes contents can change at any time in the future (includes complete scoped field removal) and we advise against setting dependencies on concrete field names inside of the data field.

"rawDeviceAttributes": {
  "data": {
    "<field_name>": {
      "value": 127
    }
}

Thesmart signals listed below are applicable only to mobile devices. These signals provide valuable intelligence about the integrity of the device as well as the app. These smart signals are available as part of our Pro Plus and Enterprise plans. If you are interested in one or more of these signals,then please contact our support team to enable them for you.

When your app is integrated with Fingerprint (using either our native mobile SDKs or our multi-platform SDKs),you will start receiving these signals as part of our Server API and/or Webhooks responses.

AndroidPro Plus Enterprise

Available from Android SDK 2.3.0.

Prevent spam and protect against nefarious Android emulator farms by ensuring the request is coming from a physical device. To detect emulators,several additional device attributes have to be collected and this increases the time to get a visitorId. Thelatency can be anywhere between 300 and 1500ms.

"emulator": {
  "data": {
    "result": false
  }
}

AndroidPro Plus Enterprise

Available from Android SDK 2.3.0.

Ensure a safe Android mobile application environment by detecting rooted devices.

"rootApps": {
  "data": {
    "result": false
  }
}

AndroidPro Plus Enterprise

Available from Android SDK 2.3.0.

Identify request coming cloned application . Making multiple clones app device abuse promotions app restrictions . ( Android )

"clonedApp": {
  "data": {
    "result": false
  }
}

iOS AndroidPro Plus Enterprise

Available from Android SDK 2.3.0 and iOS SDK v2.3.0.

Resetting a mobile device to default factory settings has been a common technique that fraudsters use to evade fraud detection mechanisms. When a factory reset is performed,it can

  • Disguise the identity of the mobile device
  • Be used to abuse promotional offers
  • Prevent the mobile device from being blocked for fraudulent activity

TheFactory Reset Smart Signal will indicate when the mobile device was most recently factory reset. You can use this information in your fraud detection mechanisms to flag a mobile device as suspicious.

As an example,for a mobile device that was factory reset on July 19,2023,at 6 AM EST,the response will be:

"factoryReset": {
  "data": {
    // Thetime when the mobile device was factory reset in UTC
    "time": "2023-07-19T011:00:00Z",
    // TheUTC 'time' represented as Unix epoch time
    "timestamp": 1689445704
  }
}

For mobile devices (and browsers) where a factory reset could not be detected,the time and timestamp fields in the response will correspond to the epoch as:

"factoryReset": {
  "data": {
    "time": "1970-01-01T00:00:00Z",
    "timestamp": 0
  }
}

factory reset is go undetected ?

Yes . possible scenarios is are factory reset detected :

  • TheiOS device has genuinely not been factory reset since it was first activated.
  • TheiOS device that initiated the request is not a physical device,but an iOS simulator. (Conversely,a factory reset can be detected for Android emulators).
  • Your iOS app not use Fingerprint Identification SDK v2.3.0 or higher. Theability to detect factory reset was introduced only in v2.3.0.
  • Your Android app uses an incompatible version of Fingerprint Identification SDK
    • < v2.3.0: Theability to detect factory reset was introduced only in v2.3.0.
    • v2.3.0 ≥ SDK < 2.3.4: Due to lazy signal collection,more than one request must be initiated from the same device for a factory reset to be detected. If you would like to use one of these versions in your app,you first need to contact our support team to enable factory reset detection for your account.
    • ≥ v2.3.4: Since the first request from a fraudulent device is the most critical request to detect fraud,we made improvements that allowed us to detect a factory reset during the first request itself.

iOS Android Pro Plus Enterprise

Available Android SDK v2.3.3 iOS SDK v2.2.0

In simple terms,app hooking is a process where the behavior of a mobile app is changed by intercepting the app at runtime. Frida is a dynamic instrumentation toolkit that tech-savvy fraudsters can use to spoof an app at runtime and change its behavior. With this smart signal,you will know if Frida is being used to dynamically instrument the app.

" frida " : { 
   " data " : { 
     " result " : false 
   } 
 }

iOS Android Pro Plus Enterprise

Available from Android SDK v2.3.4 and iOS SDK v2.3.1.

Fraudsters spoof the location of their mobile devices to fool fraud detection systems. With this smart signal,you will know if the location of the mobile device has been spoofed or not. For iOS only,this signal requires the host app to be granted Location Permission.

"locationSpoofing": {
  "data": {
    "result": false
  }
}

Available from iOS SDK v2.2.0.

An iPhone or an iPad is labeled jailbroken unauthorized modifications underlying operating system ( iOS ) . Jailbreaking is weakens weakens device built -security features makes easy steal sensitive information stored device . Unauthorized modification iOS information .

Fraudsters is employ employ phishing mechanisms trick users installingjailbreak software on their devices and then take control of their devices. Your app (e.g. banking,e-commerce,etc) will not be able to distinguish the transactions made using jailbroken devices from those made using genuine devices. Honoring these fraudulent transactions will lead to financial losses (caused by chargeback expenses,account takeover,etc) and loss of trust among your customers.

TheJailbroken Smart Signal will help you detect if your app is being used from an iPhone/iPad that has been jailbroken and enable you to proactively act upon it.

"jailbroken": {
  "data": {
    "result": false
  }
}

iOS Android Pro Plus Enterprise

Available from Android SDK v2.3.3 and iOS SDK v2.3.0.

VPN apps for mobile devices are popular with both legit users and fraudsters. These VPN apps

  • Protect their users’ privacy by encrypting all their traffic
  • Allow their users to remain anonymous by giving them the ability to hide their real location

TheVPN Detection Smart Signal for mobile devices will help you detect if your app is being used by a mobile device with an active VPN connection.

"vpn": {
  "data": {
    "result": false,
    "originTimezone": "Europe/Berlin",
    "originCountry": "DE" // country code string in the ISO 3166 format
    "methods": {
      "timezoneMismatch": false,
      "publicVPN": false,
      "auxiliaryMobile": false,
      "osMismatch": false // always false,irrelevant for native SDKs
    }
}

For mobile devices,result is true when either of the four listed methods is true:

  • timezoneMismatchtrue device is is different timezone compared timezone originating IP address .
  • publicVPNtrue when the IP address matches one of the known IP addresses that belong to public VPN providers.
  • auxiliaryMobiletrue when other proprietary detection methods indicate the presence of a VPN.
  • osMismatch -always false when using mobile SDKs.

This field indicates the IANA timezone that is currently set for the mobile device. In situations where a VPN is enabled,this timezone can be different from the timezone associated with the IP address.

TheoriginTimezone usually includes country -specific reference like"Europe/Prague". ThetimezoneMismatch will be true even if a mobile user in Prague uses a Berlin VPN server,despite both countries being in the same GMT+2 UTC offset. For most use cases,timezoneMismatch functions well as an indicator of country mismatch between the mobile device and the IP address.

This field is supported for both Android and iOS devices.

This field indicates the country in which the mobile device is physically located at the time of request. Thecountry is represented in ISO 3166 format. It not require Location Permissions to be enabled for your app.

This field can be very useful in situations where an active VPN can mask the true location of the device.

Android devices

  • This field is supported only in Android SDK v2.4.0 and higher. For lower versions of the SDK,the value is set to unknown.
  • If the request is from an emulator,irrespective of the SDK version used,the value is set to unknown.

iOS devices

  • originCountry is not yet supported and the value is set to unknown.