php – Use Admob Server-Side Validation (got hacked)-ThrowExceptions

Exception or error:

I would like to use Admob’s server-side validation. I am already using a postback URL to my server entered in the Ad Unit Dashboard.

However, I’ve recently discovered that there are some users “hacking” / spoofing the client-side check for Rewarded Video Ads and somehow sending tons of verifications to Google pretending they did watch the Video Ads.

So, I am now wondering whether this docs can help me. However, I am not sure how to verify the Google Request in PHP then. Everything on that page looks like client-side code to me, while I would like to continue using my server to receive the confirmation from Google and add the user reward in my database.

On top, how does this serer-side validation work at all? As described just using a URL without verifying the signature and key_id I got tons of fake-validations due to users making Google believe they had watched the rewarded video ad.

EDIT:

Here is my full code used for the RewardedVideos.

So, that’s how I initialize the SDK on App launch.

MobileAds.initialize(this, "ca-app-pub-my-id");

    adRequest = new AdRequest.Builder()
            .addTestDevice("SOME ID")
            .addTestDevice("ANOTHER ID")
            .build();

And here I load the Rewarded Video Ad before displaying it

currentActiveRewardedVideoAd.setCustomData("some String");

        switch(ad)
        {
            case 150:
                currentRewardedVideoAdID = "ca-app-pub- id 1";
                break;
            case 175:
                currentRewardedVideoAdID = "ca-app-pub- id 2";
                break;
            case 200:
                currentRewardedVideoAdID = "ca-app-pub- id 3";
                break;
        }

currentActiveRewardedVideoAd.loadAd(currentRewardedVideoAdID, adRequest);

And here is my client-side reward

 @Override
    public void onRewarded(RewardItem rewardItem)
    {
        //Reward user
    }

So now what the “hackers” did is that got my “some String” custom data and send it to Google as a “Rewarded Video finished” call. So, Google sends me tons of callbacks (checked the origin with Revers DNS) making my server to reward those users.

Therefore, please tell me how to implement this docs and especially how that on my server side as I can’t find any server code on that page.

How to solve:

https://developers.google.com/admob/android/rewarded-video-ssv#use_rewardedadsverifier_from_tink

Use RewardedAdsVerifier from Tink

The Tink GitHub repository includes a RewardedAdsVerifier helper class to reduce the code required to verify a rewarded video SSV callback. Using this class alongside the Tink third-party cryptographic library enables you to verify a callback URL with the following code.

// use this code in your onRewarded function, (execute it in background without affecting UI)
RewardedAdsVerifier verifier = new RewardedAdsVerifier.Builder()
    .fetchVerifyingPublicKeysWith(
        RewardedAdsVerifier.KEYS_DOWNLOADER_INSTANCE_PROD)
    .build();
String rewardUrl = ...; // your reward URL Here.
verifier.verify(rewardUrl);

in development hit Reward URL in test page where can save all the POST & GET requests to test what values you are getting..

If the verify() method executes without raising an exception, the callback URL was successfully verified.

according to the docs you will get values something like this:

https://www.myserver.com/path?ad_network=54…55&ad_unit=12345678&reward_amount=10&reward_item=coins
&timestamp=150777823&transaction_id=12…DEF&user_id=1234567&signature=ME…Z1c&key_id=1268887

ad_network= 5450213213286189855 // admob adnetwork ID

in MySQL make u unique KEY for these columns to store only unique values:

timestamp,transaction_id,user_id,signature,key_id

Leave a Reply

Your email address will not be published. Required fields are marked *