I imagine the possible values for that field is quite vast as it is set into the gpx file by the recording device, not by Strava. I'm not sure this is an ideal solution to your challenge, I believe legitimate activities could be created with no listed device as well. I also don't think it guarantees accuracy, as there are activities uploaded that are categorized incorrectly, accidentally (or intentionally), such as recording a drive and listing it as a ride. I don't know the details of your program or how much the stakes are if rewarding a few fake or accidental activities. You could have various requirements, like heart rate data, or specific devices, or you could just check that the device field isn't blank, but again that doesn't necessarily mean it wasn't a real activity. There is built in moderation and flagging into Strava, fake and incorrect activities do exist, but there are mechanisms to report them. I don't know how your program would deal with activities that have been removed / flagged after they were created.
after some experimentation "StravaGPX" in the device_name is fairly common if you download a GPX file and try to edit it and upload it again, so we will block that! Unfortunately there are many GPX editors out there, that produce valid GPX files which can be uploaded to "fake" an activity
It sounds like you're building a great rewards app with Strava, but the manual upload feature does pose a challenge for preventing cheating. The device_name field in the DetailedActivity could give some clues, but since it's just a string, it doesn't guarantee reliable detection of manually uploaded GPX files. Unfortunately, it’s not an exhaustive or foolproof way to detect tampering, as the values can vary widely based on the device or app used to generate the file.
You might want to combine this with other indicators, like suspiciously uniform GPS data or unrealistic activity metrics. Also, checking for missing data that would usually be captured by a fitness tracker (e.g., heart rate or cadence) might help flag questionable entries. However, it’s tricky, and there may not be a 100% foolproof method.