Competitive Intelligence โ Weekly Sync
๐ Week 1 โ March 31, 2026 ยท โฑ 30 minutes ยท ๐ฅ Weekly cadence
1 ยท Competitive and Client Testing (Julia) โ Key Findingsโ
- โ Radar / FD WV โ rooted Android (hidden root) NOT detected. Retesting from TN with all root-hiding steps confirmed; rooted Android allowed through to bet placement.
- โ Radar / FD WV โ tampered (resigned) iOS app placed bets from TN
Radar failed to detect the modification โ unrestricted access from outside the licensed state. - โ Radar / FD WV โ VMOS Android device farm DETECTED โ
Radar successfully identified the virtual OS environment. Follow-up validation pending next Android app release. (Note: this regressed on April 7 retest.) - โ FanDuel relies on manual state selector โ reactive validation, not proactive. TN user initially verified on WV platform. Misleading "account sharing" error messaging risks encouraging illegal workarounds like proxy use. MultiPass eliminates this if they use GeoComply everywhere.
- โ Radar allows proxy betting โ system just asks user to "wait additional time"
2 ยท Competitive Research (Valeria) โ Key Findingsโ
Major vulnerability suspected in xPoint based on the analysed SDKโ
- โ Unsigned iOS SDK + findable SDK โ client-side coordinate injection
An attacker can patch the app to inject coordinates, placing the user inside a permitted jurisdiction before every compliance check. Architectural exposure, not a fixable bug.
xPoint and Radar are likely vulnerable to Man-in-the-Middle attacksโ
- We will plan next steps with the engineering team.
- We may need to try to test Man-in-the-Middle attacks on all competitors; this can be a good convincing point of their potential non-compliance, IF CONFIRMED.
- Added security breaches information to the Radar document. Publishable API key baked into app at build time of Radar may be a potential vulnerability to Replay Attacks too.
OpenBetโ
- Does not seem to have the analysis for rooting, memory modifications, or proxies โ a potential breach for rooted devices. A good point of attention for our testing.
3 ยท End-user Feedback (Valeria) โ Key Findingsโ
๐ Full dataset: Social Media Competitive Signals ยท Reddit + X/Twitter public posts. Monitoring initiated March 2026.
- Xpoint: increasing number of comments about poor location checks. Seeing more poor-location-services comments for PrizePicks and Bet365.
- Should we add KYC feedback to our findings? Clients are finding the Fanatics KYC solution to be too demanding.
4 ยท What's Next โ Plan for Next Weekโ
Field Testingโ
- Radar / Bet Saracen AR โ Assess the effectiveness of Play Integrity API detection against a hidden root device. Assess Radar's ability to detect a tampered iOS app. Conduct the man-in-the-middle testing.
- Radar / FD WV: Device Farm / VMOS (Android) โ Retest โ verify if Radar identifies the virtual OS environment used to manipulate device integrity; validation scheduled pending the next Android app release.
- Radar / Saracen AR โ run the Replay Attack testing
- Fanatics / OpenBet Locator โ validate the integration
Betting Heroโ
- Radar / Saracen AR (web desktop) โ perform full validation of the competitor's app
- XPoint / RushStreet DE โ conduct validation of the XPoint integration (in progress)
Integrations teamโ
- Request the Replay attacks tests on all competitors โ
- Mkodo Geolocs research is next in line
- Add 'BIG LOSSES' section to the competitor briefs for Marco