SDK signature
Adjust’s SDK signature is an anti-spoofing solution. The library fortifies the connection from the Adjust SDK to Adjust’s servers with a proprietary mangling algorithm and uses obfuscation and security checks to guarantee its own integrity.
The SDK Signature library is designed to be easy to integrate and to work seamlessly with the Adjust SDK without the need for any extra code.
How does it work?
The SDK signature library isn't an anti-cheating engine. It can't protect against user-level fraud such as exploitation of bugs in the app, modifications made to resources outside the original app, or app logic errors.
When the Adjust SDK sends information to Adjust's servers, the information is encrypted using TLS (Transport Layer Security), an industry standard encryption protocol for web traffic. While TLS prevents bad actors from reading your information, it doesn't prevent them from sending fraudulent install or event data to your app endpoint.
The SDK Signature library protects SDK connections to Adjust's servers using a proprietary mangling algorithm combined with obfuscation and security checks to ensure that Adjust's servers reject any information being sent by another party. The server checks all requests to ensure they have a valid signature. Any information that is unsigned or signed with an invalid signature is rejected, ensuring that you only receive valid information.
Get started
The SDK Signature library is bundled in SDK v5 by default. Installation is required in SDK v4 only.
The SDK Signature library is available for Android, iOS, and Unity. To integrate the library:
- (SDK v4 only): Download the SDK Signature library for your platform from GitHub.
- Follow the integration guide for your platform.
If you use Flutter, Cordova, or React Native, follow the instructions for iOS and Android to add SDK Signature library support for each platform. Other multi-platform frameworks are not supported.
- Test your configuration and verify your integration works.
Manage your certificate fingerprints
Certificate fingerprints are required only for apps that target Android.
Once you integrate the SDK Signature library into your app, all requests sent by the Adjust SDK to Adjust are signed. The Adjust SDK will also transmit relevant information to Adjust’s servers, including the fingerprint of your signing certificate.
To get your certificate fingerprints, follow the documentation for your platform.
You must add the fingerprints of your signing certificates to the allowlist. If no fingerprints are added to the allowlist, traffic from your app can be spoofed.
Add signatures in the Adjust Suite
Once you’ve obtained your certificate fingerprints, do the following to add them to your allowlist:
- Select your app in AppView to open the app details screen.
- Select the Protection tab.
- Select the Edit button () on the Suspicious installs section.
- Under the Android fingerprinting section, select New fingerprint.
- Paste the fingerprint into the text box that appears.
- Select Add.
- Repeat these steps for each fingerprint you want to add to the allowlist.
That’s it! Your fingerprint is now allowlisted for your app.
If you update your signing certificates, you must update your certificate fingerprints in Adjust.
You can deactivate a fingerprint if it’s no longer in use.
- Select your app in AppView to open the app details screen.
- Select the Protection tab.
- Select the Edit button () on the Suspicious installs section.
- Under the Android fingerprinting section, find the fingerprint you want to deactivate.
- Select Deactivate
Traffic containing the deactivated fingerprint is rejected as suspicious.
Add signatures using the Automate API
If you use the Automate API to manage your apps, you can set up your Android signatures using the /app
endpoint. Follow the Automate API instructions for setting up Android signatures to add your signatures to your application using the Automate API. Signatures added using this method are automatically appended to the allowlist.
Enforce signature validation
Once you’ve integrated the SDK Signature library in your app, you need to enforce the use of signatures in Adjust. If the signature isn’t enforced, all SDK requests are accepted without validation.
Adjust doesn’t enforce signature validation automatically. This gives you time to wait for your users to download and open the updated version of your app with the signature integrated to record installs.
Adjust recommends that you wait for approximately 2 attribution windows before enforcing the SDK signature.
For example: With Adjust's default 7-day window, you should wait for 14 days before enforcing the SDK signature. This allows a user who previously downloaded your app, but only just opened it, to still be credited with an install despite not carrying the signature.
Follow these steps to enforce signature validation.
- Select your app in AppView to open the app details screen.
- Select the Protection tab.
- Select the Edit button () on the Suspicious installs section.
- Toggle Reject suspicious installs to enforce signature validation.
Manage your secret IDs
A Secret ID is an identifier used to uniquely identify an app using a specific version of the Signature library on a specific platform. Secret IDs are generated by Adjust when signed requests are sent by the Adjust SDK.
You can control which secret IDs are considered and which are discarded. By default, all secret IDs are active. If you set a secret ID to inactive while signature validation is enforced, all requests sent from your app with the corresponding SDK Signature library version and platform are rejected.
Adjust recommends deactivating a secret ID if:
- It is no longer contributing to your install reporting.
- You have fully released a new version of your app (across all app platforms and stores).
Deactivating a secret ID takes immediate effect. When the SDK Signature is enforced, app installs reported with a deactivated secret ID are rejected and categorized under Untrusted Devices. Adjust will continue to track sessions and events for these devices, but this information will only be visible in your dashboard or reports if you are using the Adjust Fraud Prevention Suite.
To manage your secret IDs:
- Select your app in AppView to open the app details screen.
- Select the Protection tab.
- Select the Edit button () on the Suspicious installs section.
- Under the Secrets section, perform one of the following actions:
- Select Deactivate to deactivate a selected secret ID.
- Select Edit to change the name of the selected secret ID.
You can see your deactivated IDs by toggling Show deactivated secret IDs.
Update the library
The SDK Signature library is bundled in SDK v5 by default when you integrate it through dependency managers. That means that refreshing the dependencies will fetch the latest version of the library.
You don't need to do any app alterations beyond swapping the library. To update the SDK Signature library, follow these steps:
- Follow the update guide for your platform.
- Test your configuration and verify that your update works. Follow the testing guide for your platform.
Other multi-platform frameworks are not officially supported unless bundled by SDK v5. To update the SDK Signature library for multi-platform frameworks, you can follow the instructions for iOS and Android. Testing for multi-platform frameworks is agnostic.