Competitive Intelligence — Weekly Sync
📅 Week 1 — March 31, 2026 · ⏱ 30 minutes · 👥 Weekly cadence
1 · Competitive and Client Testing (Julia) — Key Findings
- ✗ Radar / FD WV — rooted Android (hidden root) NOT detected. Retesting from TN with all root-hiding steps confirmed; rooted Android allowed through to bet placement.
- ✗ Radar / FD WV — tampered (resigned) iOS app placed bets from TN
Radar failed to detect the modification — unrestricted access from outside the licensed state. - ✓ Radar / FD WV — VMOS Android device farm DETECTED ✓
Radar successfully identified the virtual OS environment. Follow-up validation pending next Android app release. (Note: this regressed on April 7 retest.) - ✗ FanDuel relies on manual state selector — reactive validation, not proactive. TN user initially verified on WV platform. Misleading "account sharing" error messaging risks encouraging illegal workarounds like proxy use. MultiPass eliminates this if they use GeoComply everywhere.
- ✗ Radar allows proxy betting — system just asks user to "wait additional time"
2 · Competitive Research (Valeria) — Key Findings
Major vulnerability suspected in xPoint based on the analysed SDK
- ✗ Unsigned iOS SDK + findable SDK → client-side coordinate injection
An attacker can patch the app to inject coordinates, placing the user inside a permitted jurisdiction before every compliance check. Architectural exposure, not a fixable bug.
xPoint and Radar are likely vulnerable to Man-in-the-Middle attacks
- We will plan next steps with the engineering team.
- We may need to try to test Man-in-the-Middle attacks on all competitors; this can be a good convincing point of their potential non-compliance, IF CONFIRMED.
- Added security breaches information to the Radar document. Publishable API key baked into app at build time of Radar may be a potential vulnerability to Replay Attacks too.
OpenBet
- Does not seem to have the analysis for rooting, memory modifications, or proxies — a potential breach for rooted devices. A good point of attention for our testing.
3 · End-user Feedback (Valeria) — Key Findings
📊 Full dataset: Social Media Competitive Signals · Reddit + X/Twitter public posts. Monitoring initiated March 2026.
- Xpoint: increasing number of comments about poor location checks. Seeing more poor-location-services comments for PrizePicks and Bet365.
- Should we add KYC feedback to our findings? Clients are finding the Fanatics KYC solution to be too demanding.
4 · What's Next — Plan for Next Week
Field Testing
- Radar / Bet Saracen AR — Assess the effectiveness of Play Integrity API detection against a hidden root device. Assess Radar's ability to detect a tampered iOS app. Conduct the man-in-the-middle testing.
- Radar / FD WV: Device Farm / VMOS (Android) — Retest — verify if Radar identifies the virtual OS environment used to manipulate device integrity; validation scheduled pending the next Android app release.
- Radar / Saracen AR — run the Replay Attack testing
- Fanatics / OpenBet Locator — validate the integration
Betting Hero
- Radar / Saracen AR (web desktop) — perform full validation of the competitor's app
- XPoint / RushStreet DE — conduct validation of the XPoint integration (in progress)
Integrations team
- Request the Replay attacks tests on all competitors ✓
- Mkodo Geolocs research is next in line
- Add 'BIG LOSSES' section to the competitor briefs for Marco