OM SDK v1.6 introduces device attestation to combat device spoofing. Device spoofing is a form of Invalid Traffic (IVT) where device information is misrepresented in ad measurement data. The feature uses the industry-standard Privacy Pass protocol allowing supported client devices to assert their authenticity in a privacy-preserving way. See the Open Measurement Device Attestation Implementation Guidance for details.
On Fire TV devices, attestation is powered by the com.amazon.privacypass library. This library is prebuilt into Fire TV’s operating system. OM SDK references it via a uses-library manifest entry, allowing it to load at runtime. On non-Fire TV devices, OM SDK detects the library’s absence and skips attestation gracefully.
To compile against the library’s APIs, the OM SDK codebase includes a stub JAR (com.amazon.privacypass.jar). This stub contains interface definitions only. It is declared as a compileOnly dependency ensuring it’s not included in the final OM SDK binary (AAR).
Integrators either consume OM SDK as an AAR or embed OM SDK source directly. In the first case, integrators need to take no action. The AAR declares the necessary uses-library and uses-permission manifest entries, which merge into their application manifest automatically. In the second case, integrators need to add com.amazon.privacypass.jar as a compileOnly dependency in their build.gradle and add the corresponding uses-library and uses-permission declarations in their AndroidManifest.xml manually.
Integrators can use OM SDK without any licensing conflicts. The com.amazon.privacypass SDK is licensed under Amazon’s Program Materials License Agreement (PMLA), which grants a royalty-free, limited license for developing, testing, and promoting products. As long as the default behavior of excluding Amazon’s code from the integrator’s binary is not changed (i.e., the stub JAR remains a compileOnly dependency), no redistribution of Amazon code occurs, and integrators are not subject to PMLA terms.
Q1. What is device attestation?
Device attestation is a verification mechanism that can be used to confirm that a device is authentic. In digital advertising, it prevents device spoofing, a form of Invalid Traffic (IVT), where device information is misrepresented in ad measurement data to fake valuable devices for monetization. See the Open Measurement Device Attestation Implementation Guidance for details.
Q2. How does device attestation work in OM SDK?
During OM SDK initialization, the SDK automatically detects whether the device supports attestation. When an ad session begins, it notifies verification scripts of the available capabilities by adding a supportedAttestationMechanisms field to the session start event. Verification partners can then request attestation for that session. Behind the scenes, the device cryptographically proves its authenticity using the Privacy Pass protocol — a privacy-preserving standard that verifies device authenticity without exposing any user-identifiable information.
Q3. What are the benefits of device attestation?
Device attestation allows measurement partners to validate that ad impressions are being served on genuine devices, protecting against inventory spoofing. The feature is privacy-preserving. It is also designed to have no side effects on the integration: there is zero binary size impact, zero integration effort required from app developers, and no licensing conflicts.
Q4. What happens if attestation fails?
No impact on ad delivery or application behavior. OM SDK handles attestation failures gracefully. The ad session continues normally. All other OM SDK measurements remain fully functional.
Q5. Is com.amazon.privacypass library distributed separately?
No. The com.amazon.privacypass library is built into Fire TV operating system and is not distributed separately.
Q6. What is the com.amazon.privacypass.jar included with the OM SDK codebase, and why is it needed?
The com.amazon.privacypass.jar is a stub JAR containing interface definitions only. It does not contain any actual implementation code. It is included in the OM SDK codebase because OM SDK needs to compile against the APIs of the com.amazon.privacypass library. The stub JAR is declared as a compileOnly dependency, ensuring it is used only during compilation and never shipped with the application.
Q7. What is the licensing for the com.amazon.privacypass?
The com.amazon.privacypass SDK is licensed under Amazon’s Program Materials License Agreement (PMLA), which grants a royalty-free, limited license for developing, testing, and promoting products. As long as the default behavior of excluding Amazon’s code from the integrator’s binary is not changed (i.e., the stub JAR remains a compileOnly dependency), no redistribution of Amazon code occurs, and integrators are not subject to PMLA terms, allowing integrators to use OM SDK without any licensing conflicts.
Q8. How do I verify com.amazon.privacypass stub JAR is not included in my application?
Integrators using OM SDK as an AAR does not have access to stub JAR and hence need no action. Integrators embedding OM SDK source directly, must add com.amazon.privacypass.jar as a compileOnly dependency in their build.gradle.
Q9. Do integrators consuming the OM SDK AAR need to take any action to support device attestation?
No action is required. The OM SDK AAR already declares the necessary manifest entries, which merge into your application manifest automatically:
<!-- Automatically merged from OM SDK -->
<uses-library
android:name="com.amazon.privacypass"
android:required="false" />
<uses-permission
android:name="com.amazon.privacypass.ATTEST" />
Q10. What if an Integrator is including OM SDK source directly instead of using the AAR?
Integrators embedding OM SDK source directly require some manual actions:
Step 1: Add com.amazon.privacypass.jar as a compileOnly dependency in build.gradle. Integrators must use compileOnly as it ensures the stub is available during compilation but is not bundled in the application:
dependencies {
compileOnly files('libs/com.amazon.privacypass.jar')
}
Step 2: Add the following to AndroidManifest.xml:
<uses-library
android:name="com.amazon.privacypass"
android:required="false" />
<uses-permission
android:name="com.amazon.privacypass.ATTEST" />
Q11. What if an integrator’s clients include OM SDK directly as well as through the integrator’s SDK?
There is no conflict. Integrator’s SDK does not include the stub JAR due to the compileOnly dependency scope, so there is no duplication or conflict.
Q12. Does measurement partners need to update their verification scripts?
Only if they wish to use device attestation. Verification scripts need to be updated to read the supportedAttestationMechanisms field from the session start event and invoke the attest() API to request attestation. No changes are required if a verification partner does not intend to use device attestation. Existing functionality remains unaffected.
Q13. What if an integrator is not deploying on Fire TV devices?
No action is required. OM SDK checks for com.amazon.privacypass availability at runtime and gracefully skips attestation on non-Fire TV devices.
If you prefer to explicitly remove the dependency, use Android’s manifest merger:
<uses-library
android:name="com.amazon.privacypass"
tools:node="remove" />
<uses-permission
android:name="com.amazon.privacypass.ATTEST"
tools:node="remove" />
This ensures the library is not referenced or loaded in your build, including on Fire TV devices.
Q14. Are there reasons to exclude this JAR?
Only if you are building a mobile-only application and want to explicitly remove the manifest entries. To do so, use Android’s manifest merger as described above. Otherwise, there is no downside to keeping it. The dependency has zero binary size impact and is silently ignored on non-Fire TV devices.