Server-to-server attribution checklist

Server-to-server (S2S) attribution and session tracking requires a custom in-app solution that replicates the Adjust SDK’s basic functionality. Our S2S attribution checklist provides a rundown of the requirements for your in-app solution. Meeting these requirements guarantees the security of the information Adjust receives and the accuracy of what we report.

Note: Adjust supports and encourages S2S in-app event tracking. You can implement it by following these instructions.

Before you begin

  • Explore the Adjust SDK README code: the basic integration section displays the minimal extent of code required for attribution and session tracking. Integrating this code into your app is Adjust’s preferred method of attribution and session tracking. The code is easy to integrate and provides the functionality that your custom solution will have to replicate.

Checklist overview

Adjust’s server-to-server attribution checklist covers 5 requirements under 3 key areas (data integrity and security, advertising and device IDs, and third-party integrations). Every item is fundamental to accurate attribution and session tracking. Your in-app solution will have to reproduce the Adjust SDK’s basic functionality, which meets these requirements by default.
  1. Maintain data security and integrity
    • Secure app-to-server requests
    • Buffer information locally
  2. Collect and create advertising and device IDs
    • Gather every possible advertising and device ID
    • Generate a universally unique identifier and persist it to the device keychain (iOS)
  3. Develop third-party integrations and collect additional data
    • Collect the necessary data for attribution across all sources

Below, we address each of these requirements in three ways:
  • Why it is required
  • What happens if you don’t meet the requirement
  • The Adjust approach

1. Maintain security and integrity

You must guarantee the security and integrity of the information your app creates, collects, and sends to your server by securing your requests and buffering information locally.

Secure app-to-server requests

Why this is required
Mobile app install fraud is prevalent within our industry and has cost marketers billions of dollars. The first essential step to defending against mobile app install fraud is to secure your app-to-server requests. If you cannot guarantee your data’s security, Adjust cannot know whether the information we receive from your server is legitimate or not. This leaves you vulnerable to fraudulent data within your reporting.
What happens if you don’t meet this requirement
You are susceptible to spoofed installs in your reporting and expenditure, which can negatively impact your ad budget. If you cannot guarantee the security of your requests, an s2s integration is heavily discouraged.
The Adjust approach
Adjust secures every install through the Adjust SDK Signature. This signature is a cryptographic hash secured with an App Secret, which is implemented into the Adjust SDK and sent with every reported install. Adjust verifies this hash on every install and denies attribution to any traffic that cannot be verified.

Buffer information locally

Why this is required
Users might open your app for the first time (i.e., an install in Adjust) or trigger sessions while their device is offline. Accurate attribution is impossible if offline activity never reaches our servers.
What happens if you don’t meet this requirement
Any short outages, e.g., 4G handovers, or longer periods without network or WiFi coverage will result in data loss. In total, 10–20% of installs do not reach Adjust upon first attempt. If Adjust does not receive this data, we have to attribute on the data we do have, rather than what actually occurred.
The Adjust approach
The Adjust SDK places all in-app activity in a queue, so it can send the data to our servers when a connection is available.

2. Collect and create advertising and device IDs

Android’s Google Play Store advertising ID (GPS_ADID) and iOS’s ID for advertisers (IDFA) are both advertising IDs. The device user can easily reset, or disable access to, both of these IDs. Therefore, Adjust also relies on device IDs and Universally unique identifiers (UUIDs) (iOS only) for attribution and session tracking. Both of these IDs cannot be reset by the end user without resetting their device.

Gather every possible advertising and device ID

Why this is required
Advertising IDs are resettable. Deliberate, repeated resetting of advertising IDs is common (e.g., to cheat in-app reward systems). Also, around 15% of users on iOS have limit ad tracking (LAT) enabled, thereby disabling access to their IDFA. For these reasons, Adjust relies on additional IDs to accurately attribute and continuously track in-app sessions.
What happens if you don’t meet this requirement
Every session recorded without a previously tracked advertising ID or without an advertising ID (all LAT-enabled users on iOS) will be attributed as a new install.
The Adjust approach
The Adjust SDK collects every legally available advertising and device ID by default. We map these IDs, so, if one is reset, we can match the new ID to other IDs we already have in our system for that user.

Generate a universally unique identifier and persist it to the device keychain (iOS)

Why this is required
When users reset their advertising ID, uninstall and reinstall your app, or enable LAT, Adjust will not be able to retrieve their IDFA and/or IDFV. To continuously track users’ in-app sessions, Adjust relies on a permanent, locally generated UUID persisted to the device keychain. We map the UUID to other device information. This allows us to seamlessly track the user’s in-app activity when:
  • A user enables LAT
  • A user resets their advertising ID
  • Adjust does not receive the original advertising ID and/or ID for vendors (IDFV) on iOS
What happens if you don’t meet this requirement
Any reporting is likely to include installs originating from device farms, where advertising IDs are continuously reset to simulate fresh installs. Any user who enables LAT will be attributed as a new install upon each session.
The Adjust approach
Adjust generates a UUID upon install. This is mapped to other device information on our backend.

3. Third-party integrations and additional data

Critical information required for attribution to Apple Search Ads, the Google Play Store and third-party app stores (e.g., Amazon Appstore) can only be collected within your app through third-party integrations.

You must support the following: This information, collected within your app, must also be forwarded to Adjust immediately upon receipt to be considered for attribution. 

Collect the necessary data for attribution across all sources

Why this is required
Adjust relies on the information sent through these integrations for accurate and comprehensive attribution and deeplink reattribution.
What happens if you don’t meet this requirement
Without the Google Play Store referrer, Adjust will be unable to attribute:
  • Over 50% of Android installs
  • All Google organic search installs
  • Any third-party app store installs
Additionally, click injection filtering will not work. This will leave you vulnerable to a major source of mobile ad fraud on Android. Furthermore, without the instruction set for Dalvik VM, we will not know if installs originate from virtual devices.

Without the Apple Search Ads attribution API, Adjust will be unable to attribute:
  • Apple Search Ads installs
The Adjust approach
The code required for these integrations is readily available in the basic integration section of the Adjust SDK README (Android, iOS). You can also enable deeplink reattribution with the Adjust SDK by following the relevant README section (Android, iOS). Collection of the instruction set for Dalvik VM occurs automatically when the Adjust Android SDK is added to your app.

Additional considerations

Unfortunately, the features listed below are not available with server-to-server attribution and session tracking.

Deferred deeplinking

Deferred deeplinking directs users to the app store to download your app before delivering them to a specific in-app page.

Attribution callbacks

Attribution callbacks allow you to receive attribution information directly within your app from Adjust. You will no longer have to wait for callbacks from your server to carry out in-app logic: your app will know immediately when a user has, e.g., reinstalled your app.

Uninstall and reinstall tracking

Uninstall and reinstall tracking offers elevated insights into your app's retention rates. See which networks drive your most loyal customers and assess churn metrics to refine your retargeting strategies.

On this topic