Server-to-server attribution checklist

Server-to-server (S2S) attribution and session tracking requires a custom in-app solution that replicates the Adjust SDK’s basic functionality. Our S2S attribution checklist provides a rundown of the requirements for your in-app solution. Meeting these requirements guarantees the security of the information Adjust receives and the accuracy of what we report.

Before you begin

Explore the Adjust SDK's minimal extent of code required for attribution and session tracking. Integrating this code into your app is Adjust’s preferred method of attribution and session tracking. The code is easy to integrate and provides the functionality that your custom solution will have to replicate.

Follow the guides linked below to see the basic integration steps.

📖 Android / iOS / Windows / Adobe Air / Unity / Cordova / Marmalade / Xamarin / Cocos2d-x / React Native / Titanium / Corona

Checklist overview

Adjust’s server-to-server attribution checklist covers 5 requirements under 3 key areas (data integrity and security, advertising and device IDs, and third-party integrations). Every item is fundamental to accurate attribution and session tracking. Your in-app solution will have to reproduce the Adjust SDK’s basic functionality, which meets these requirements by default.

1. Maintain security and integrity

You must guarantee the security and integrity of the information your app creates, collects, and sends to your server by securing your requests and buffering information locally.

Secure app-to-server requests

Mobile app install fraud is prevalent within our industry and has cost marketers billions of dollars. The first essential step to defending against mobile app install fraud is to secure your app-to-server requests. If you cannot guarantee your data’s security, Adjust cannot know whether the information we receive from your server is legitimate or not. This leaves you vulnerable to fraudulent data within your reporting.

If you do not meet this requirement, you are susceptible to spoofed installs in your reporting and expenditure, which can negatively impact your ad budget. If you cannot guarantee the security of your requests, an s2s integration is heavily discouraged.

How does Adjust secure installs?

Buffer information locally

Users might open your app for the first time (i.e., an install in Adjust) or trigger sessions while their device is offline. Accurate attribution is impossible if offline activity never reaches our servers.

If you don’t meet this requirement any short outages, e.g., 4G handovers, or longer periods without network or WiFi coverage will result in data loss. In total, 10–20% of installs do not reach Adjust upon first attempt. If Adjust does not receive this data, we have to attribute on the data we do have, rather than what actually occurred.

How does Adjust buffer information?

2. Collect and create advertising and device IDs

Android’s Google Play Store advertising ID (GPS_ADID) and iOS’s ID for advertisers (IDFA) are both advertising IDs. The device user can easily reset, or disable access to, both of these IDs. Therefore, Adjust also relies on device IDs and Universally unique identifiers (UUIDs) (iOS only) for attribution and session tracking. Both of these IDs cannot be reset by the end user without resetting their device.

Gather every possible advertising and device ID

Advertising IDs are resettable. Deliberate, repeated resetting of advertising IDs is common (e.g., to cheat in-app reward systems). Also, around 15% of users on iOS have limit ad tracking (LAT) enabled, thereby disabling access to their IDFA. For these reasons, Adjust relies on additional IDs to accurately attribute and continuously track in-app sessions.

If you don’t meet this requirement every session recorded without a previously tracked advertising ID or without an advertising ID (all LAT-enabled users on iOS) will be attributed as a new install.

How does Adjust collect IDs?

Generate a universally unique identifier and persist it to the device keychain (iOS)

When users reset their advertising ID, uninstall and reinstall your app, or enable LAT, Adjust will not be able to retrieve their IDFA and/or IDFV. To continuously track users’ in-app sessions, Adjust relies on a permanent, locally generated UUID persisted to the device keychain. We map the UUID to other device information. This allows us to seamlessly track the user’s in-app activity when:

  • A user enables LAT
  • A user resets their advertising ID
  • Adjust does not receive the original advertising ID and/or ID for vendors (IDFV) on iOS

If you don’t meet this requirement any reporting is likely to include installs originating from device farms, where advertising IDs are continuously reset to simulate fresh installs. Any user who enables LAT will be attributed as a new install upon each session.

How does Adjust manage UUIDs?

3. Third-party integrations and additional data

Critical information required for attribution to Apple Search Ads, the Google Play Store and third-party app stores (e.g., Amazon Appstore) can only be collected within your app through third-party integrations.

You must support the following:

This information, collected within your app, must also be forwarded to Adjust immediately upon receipt to be considered for attribution. 

Collect the necessary data for attribution across all sources

Adjust relies on the information sent through these integrations for accurate and comprehensive attribution and deeplink reattribution.

Without the Google Play Store referrer, Adjust will be unable to attribute:

  • Over 50% of Android installs
  • All Google organic search installs
  • Any third-party app store installs

Additionally, click injection filtering will not work. This will leave you vulnerable to a major source of mobile ad fraud on Android. Furthermore, without the instruction set for Dalvik VM, we will not know if installs originate from virtual devices.

Without the Apple Search Ads attribution API, Adjust will be unable to attribute:

  • Apple Search Ads installs

How does Adjust collect the necessary attribution data?