Set up SDK Signature

Adjust’s SDK Signature protects you from SDK spoofing. This occurs when fraudsters send fake requests to the servers of attribution companies and app publishers. 

The Adjust SDK communicates with Adjust’s servers using encrypted communication channels, that is, HTTPS. However, this data can be intercepted and read by fraudsters to then generate illegitimate installs and subsequent activity. 

To combat this problem, the Adjust SDK submits a unique digital signature with each incoming install request. This lets our servers verify the validity of every reported install and reject fraudulent install activity. 

With the Adjust SDK Signature enforced, you can be confident in the accuracy and security of your attribution dataset.

How does it work?

When the Adjust SDK sends information to Adjust's servers, the information is encrypted using TLS (Transport Layer Security), an industry standard encryption protocol for web traffic. While TLS prevents bad actors from reading your information, it doesn't prevent them from sending fraudulent install or event data to your app endpoint.

By adding a cryptographic signature to the data the SDK sends, you can ensure that Adjust's servers reject any information being sent by another party. The server checks all requests to ensure they have a valid signature. Any information that isn't signed is rejected, ensuring that you only receive valid information.

Before you begin

Here's what you need to know before getting started.

Availability

  • SDK signature is available to all Adjust customers.
  • To implement an SDK Signature in your app, contact your Technical Account Manager or support@adjust.com

SDK setup

This feature requires Adjust SDK v4.12 and later.

⚙️ iOS / Android / Unity / Cordova / Flutter / Titanium / Corona / Cocos2d-x / React Native

Important:
By default, SDK Signature is not enforced for new apps. This means you are not protected from spoofed installs. We recommend you enforce the Signature only once you are sure all incoming valid installs carry the signature.

Set up the SDK Signature

When you set up the SDK Signature, each SDK communication package is "signed". This lets Adjust’s servers easily detect and reject any install activity that is not legitimate. 

You need to contact your Technical Account Manager or support@adjust.com to set up the SDK signature for your app.

Enforce the SDK Signature

Before enforcing the SDK Signature, all installs are accepted. Once you enforce SDK Signature, Adjust servers immediately reject all install requests that do not carry the unique Signature or carry an invalid Signature.

 Enforce toggle OFFEnforce toggle ON
Adjust server behaviorAccepts ALL installsAccepts ONLY installs with a valid secret

Rejects installs with no secret or those carrying an invalid secret

When to enforce

Once you have implemented the SDK Signature, incoming installs will carry a unique Signature that the Adjust server uses to verify the validity of incoming install requests. It is recommended that you wait for approximately 2 attribution windows before enforcing the Signature.

Example: With Adjust's default 7-day window, you should wait for 14 days before enforcing the SDK Signature. This allows a user who previously downloaded your app, but only just opened it, to still be credited with an install — despite not carrying the signature. 

Note:
It can take longer than two attribution windows for all installs to carry the Signature. For example, if you add the SDK Signature and gradually release an app update over one month. In this instance, allow time after the final release date for all installs to be coming from the new app version.

Steps to enforce

To enforce the signature, follow these steps.

  1. Under AppView, select All apps.
  2. Select your app.
  3. Select the Protection tab.
  4. Under the SDK Signature section, select Open SDK Signature.
  5. Turn on the Enforce SDK Signature toggle.

Manage your App Secrets

Old App Secrets that are no longer in use and that relate to outdated versions of your app should be deactivated. Reach out to your Technical Account Manager or to support@adjust.com to proceed with a deactivation request.

Tip:
Only analysts should determine when to deactivate an App Secret. This should not be an app development decision.

Deactivate an App Secret

Adjust recommends deactivating an App Secret if:

  • It is no longer contributing to your install reporting.
  • If you have fully released a new version of your app (across all app platforms and stores).
  • You suspect an internal data breach and that your App Secret has been disclosed to outside parties.

Deactivating an App Secret takes immediate effect. When the SDK Signature is enforced, app installs reported with a deactivated App Secret are rejected and categorized under Untrusted Devices. Adjust will continue to track sessions and events for these devices, but this information will be visible in your dashboard or reports if you are using the Adjust Fraud Prevention Suite.

FAQs

What is a digital signature?

What is an App Secret?

What is the difference between an invalid and a missing signature?