Ads.txt is headed to the app ecosystem. What form will it take? That’s still shaking out.

The IAB Tech Lab released guidance on Wednesday with several proposals for how to implement Ads.txt within an app environment. Ads.txt is the Tech Lab’s initiative to reduce inventory spoofing and help advertisers distinguish legit supply sources from the imposters.

The desktop and mobile web version of Ads.txt, which lists authorized sellers within a text file hosted on a publisher’s root domain, debuted last June. Since then, more than 2 million publishers have adopted the spec.

But what works for the web doesn’t necessarily work for apps. (Speaking of, who’s tired of hearing “You can’t call it ‘in-app header bidding’ because there’s no header in apps?”)

The most glaring difference between apps and web browsers from an Ads.txt perspective is that apps don’t have a handy web domain where publishers can easily list their seller files, said Dennis Buchheim, SVP and general manager of the IAB Tech Lab.

To get around that, the Tech Lab hopes to piggyback onto a metadata field used by app stores to identify an app within their ecosystem. When developers register an app in iTunes Connect, they create what’s known as a bundle ID, which resembles a reverse URL. The bundle ID for the Apple Pages app, for example, would be “com.apple.pages.” Google uses a similar system within the Play Store.

“The idea is that you can specify the reverse URL with any supply you’re making available through OpenRTB on any inventory, and the app name is embedded in there,” Buchheim said. “It’s like a trail of breadcrumbs that leads you through verifiable sources.”

The only problem with the reverse domain method is that it relies on the app stores playing along, and they aren’t hopping aboard as quickly as the Tech Lab would like.

The app store fields aren’t consistently supported or designed to support Ads.txt. In an ideal world, all three big app stores – Google, Apple and Amazon – would implement or designate a standardized field for in-app Ads.txt and clear up other little barriers.

For example, Apple caps how many times anyone can look up a bundle ID. If you hit that threshold, further requests are rejected. That won’t fly in the OpenRTB ecosystem.

Conversations are furthest along with Google, which is a Tech Lab member. There’s been less progress made with Apple and Amazon, although Buchheim hopes that releasing the specs will light a fire under their collective behinds.

“If there’s a groundswell, the app stores will need to support this,” he said.

But if they don’t or can’t get their act together in a timely enough manner, the IAB Tech Lab has alternative options, such as implementing a standardized API created by a third-party or independent entity to retrieve an app’s identifying metadata. It would also work if the app stores developed an API to support Ads.txt, but it’s a heavier lift to implement and fairly unlikely.

“The main thing is that we want to deploy this as quickly as possible and make it be as similar as possible to deploy for developers as it is for website owners,” Buchheim said. “The field requires the least technical effort, and it’s a secure, enduring mechanism.”

Assuming the Ads.txt-for-apps initiative gets buy-in from the app stores, Buchheim expects rapid adoption among publishers. There might also be a knock-on effect that cleans up the third-party app store ecosystem, most of which is outside the US.

“Ads.txt resulted in a bit of a shakeout on the web, and the same thing could happen here,” he said. “If it takes off for apps, the illegitimate app stores that don’t participate will essentially be waving a flag that says, ‘Don’t work with us.’”

But Ads.txt won’t solve spoofing on its own, whether on the web or in apps. It works best in combo with Ads.cert , an OpenRTB spec set to be released soon that uses cryptographic security tech to verify ad space. Think of Ads.txt and Ads.cert as two-factor authentication for programmatic buying.

“Ads.txt is about authorized resellers and Ads.cert is about authenticating what you think you’re buying,” Buchheim said. “You can go to an authorized Rolex reseller, but suppose the reseller is shady and sells fake Rolexes. You need both to really stamp out fraud in any environment.”