SDK signature

Adjust’s SDK signature is an anti-spoofing solution. The library fortifies the connection from the Adjust SDK to Adjust’s servers with a proprietary mangling algorithm and uses obfuscation and security checks to guarantee its own integrity.

The SDK Signature library is designed to be easy to integrate and to work seamlessly with the Adjust SDK without the need for any extra code.

How does it work?

When the Adjust SDK sends information to Adjust's servers, the information is encrypted using TLS (Transport Layer Security), an industry standard encryption protocol for web traffic. While TLS prevents bad actors from reading your information, it doesn't prevent them from sending fraudulent install or event data to your app endpoint.

The SDK Signature library protects SDK connections to Adjust's servers using a proprietary mangling algorithm combined with obfuscation and security checks to ensure that Adjust's servers reject any information being sent by another party. The server checks all requests to ensure they have a valid signature. Any information that is unsigned or signed with an invalid signature is rejected, ensuring that you only receive valid information.

Get started

The SDK Signature library is available for Android, iOS, and Unity. To integrate the library:

1. Download the SDK Signature library for your platform from GitHub.
2. Follow the integration guide for your platform.
   • iOS
   • Android
   • Unity

1. Test your configuration and verify your integration works.

Manage your certificate fingerprints

Once you integrate the SDK Signature library into your app, all requests sent by the Adjust SDK to Adjust are signed. The Adjust SDK will also transmit relevant information to Adjust’s servers, including the fingerprint of your signing certificate.

To get your certificate fingerprints, follow the documentation for your platform.

• Android
• Unity

Add signatures in the Adjust Suite

Once you’ve obtained your certificate fingerprints, do the following to add them to your allowlist:

1. Select your app in AppView to open the app details screen.
2. Select the Protection tab.
3. Select the Edit button () on the Suspicious installs section.
4. Under the Android fingerprinting section, select New fingerprint.
5. Paste the fingerprint into the text box that appears.
6. Select Add.
7. Repeat these steps for each fingerprint you want to add to the allowlist.

That’s it! Your fingerprint is now allowlisted for your app.

You can deactivate a fingerprint if it’s no longer in use.

1. Select your app in AppView to open the app details screen.
2. Select the Protection tab.
3. Select the Edit button () on the Suspicious installs section.
4. Under the Android fingerprinting section, find the fingerprint you want to deactivate.
5. Select Deactivate

Traffic containing the deactivated fingerprint is rejected as suspicious.

Add signatures using the Automate API

If you use the Automate API to manage your apps, you can set up your Android signatures using the /app endpoint. Follow the Automate API instructions for setting up Android signatures to add your signatures to your application using the Automate API. Signatures added using this method are automatically appended to the allowlist.

Enforce signature validation

Once you’ve integrated the SDK Signature library in your app, you need to enforce the use of signatures in Adjust. If the signature isn’t enforced, all SDK requests are accepted without validation.

Adjust doesn’t enforce signature validation automatically. This gives you time to wait for your users to download and open the updated version of your app with the signature integrated to record installs.

Adjust recommends that you wait for approximately 2 attribution windows before enforcing the SDK signature.

For example: With Adjust's default 7-day window, you should wait for 14 days before enforcing the SDK signature. This allows a user who previously downloaded your app, but only just opened it, to still be credited with an install despite not carrying the signature.

Follow these steps to enforce signature validation.

1. Select your app in AppView to open the app details screen.
2. Select the Protection tab.
3. Select the Edit button () on the Suspicious installs section.
4. Toggle Reject suspicious installs to enforce signature validation.

Manage your secret IDs

A Secret ID is an identifier used to uniquely identify an app using a specific version of the Signature library on a specific platform. Secret IDs are generated by Adjust when signed requests are sent by the Adjust SDK.

You can control which secret IDs are considered and which are discarded. By default, all secret IDs are active. If you set a secret ID to inactive while signature validation is enforced, all requests sent from your app with the corresponding SDK Signature library version and platform are rejected.

Adjust recommends deactivating a secret ID if:

• It is no longer contributing to your install reporting.
• You have fully released a new version of your app (across all app platforms and stores).

Deactivating a secret ID takes immediate effect. When the SDK Signature is enforced, app installs reported with a deactivated secret ID are rejected and categorized under Untrusted Devices. Adjust will continue to track sessions and events for these devices, but this information will only be visible in your dashboard or reports if you are using the Adjust Fraud Prevention Suite.

To manage your secret IDs:

1. Select your app in AppView to open the app details screen.
2. Select the Protection tab.
3. Select the Edit button () on the Suspicious installs section.
4. Under the Secrets section, perform one of the following actions:
   • Select Deactivate to deactivate a selected secret ID.
   • Select Edit to change the name of the selected secret ID.

You can see your deactivated IDs by toggling Show deactivated secret IDs.