SDK Signature

Adjust’s SDK signature protects you from SDK spoofing. This occurs when fraudsters send fake requests from an app to the servers of attribution companies and app publishers. 

The Adjust SDK communicates with Adjust’s servers using encrypted communication channels, i.e., HTTPs. However, this data can be intercepted and read by fraudsters to then generate illegitimate installs. 

To combat this problem, the Adjust SDK submits a digital signature that lets our servers verify each reported install - and reject fraudulent activity. This signature is created from an app secret generated in the Adjust dashboard, which is a value known only by the app publisher and Adjust. 

With the Adjust SDK Signature enforced, you can be confident in the accuracy and security of your attribution dataset.

Before you begin

Here's what you need to know before getting started. 

Availability

  • This is available to all Adjust customers but does not appear in your dashboard automatically 

    • To implement an SDK signature in your app, contact your Technical Account Manager or support@adjust.com

Requirements

Helpful information

  • By default, the SDK Signature is not enforced for new apps. This means you are not protected from spoofed installs. We recommend enforcing the signature only once you are sure all incoming installs carry the signature. Read more about how and when to enforce the signature in your dashboard.

Set up the SDK signature

When you set up the SDK signature, each SDK communication package is ‘signed’. This lets Adjust’s servers easily detect and reject any activity that is not legitimate. 

There are three steps involved in setting up the SDK signature. 

  1. Create an App Secret
  2. Add the App Secret to your SDK
  3. Enforce the SDK Signature

1. Create an App Secret

To create an App Secret, follow these steps.

In the Adjust dashboard

  1. Find your app and select your app options caret (^)
  2. Select All Settings > SDK Signature
  3. Select CREATE NEW APP SECRET
  4. (Optional) Enter a name for your App Secret
    1. Recommended: enter the app version containing the App Secret and the app store name
  5. (Optional) Enter your developer’s email address to directly send the App Secret to them. The email will contain the app token, App Secret, App Secret version, and a link to the SDK implementation documentation
  6. Select SAVE CHANGES

Great! You’ll now see your App Secret listed.

Note: We recommend creating a new App Secret for:

  • Each app version you release
  • Each different app store (e.g., Google Play Store and Amazon Appstore)
  • Pre-install campaigns

2. Add an App Secret to your SDK

After creating an App Secret, integrate it into the Adjust SDK. Your app can then be submitted to an app store.

To add an App Secret to the SDK, follow the instructions in our developer guides on GitHub.

3. Enforce the SDK signature

Once your App Secret is correctly added to the Adjust SDK, incoming installs carry the signature. However, we recommend waiting a period of approximately 2 attribution windows (e.g., Adjust's default window is 7days, so you would wait 14 days) before enforcing the SDK signature. This helps ensure that, even if a user downloaded your app earlier in time and only just opened it (counting as an install in Adjust), this install is still credited - despite not carrying the signature. 

Note: In some instances, it may take longer than the recommended 2 attribution windows for all installs to carry the SDK signature. For instance, if you add an app secret to a new app version and gradually release the update over 1 month. Allow time after the final release date for all users to update to this app version. 

When you enforce the SDK signature, our servers will immediately reject all SDK communications that do not carry the unique signature. 

To enforce the signature, follow these steps in the dashboard.

  1. Find your app and select your app options caret (^)
  2. Select All Settings > SDK Signature 
  3. Switch the Enforce SDK signature toggle ON
All set! The SDK signature is now active.

Manage your App Secrets

You can copy, edit, deactivate and reactivate your App Secrets from the dashboard. Select the pencil icon to change your App Secret’s name. Select the power icon to deactivate or reactivate it. 

Note: Only analysts should determine when to deactivate or reactivate an App Secret; this should not be an app development decision.

Deactivate an App Secret

Adjust recommends deactivating an App Secret if:

  • It is no longer contributing to your install reporting
  • If you have fully released a new version of your app (across all app platforms and stores)
  • You suspect an internal data breach and that your App Secret has been disclosed to outside parties
Deactivating an App Secret takes immediate effect. You can reactivate a deactivated App Secret at any time.

App installs reported with a deactivated App Secret are rejected and categorized under Untrusted Devices. Adjust will continue to track sessions and events for these devices, but this information will only be visible in your dashboard reporting if you are using the Adjust Fraud Prevention Suite.

Reactivate an App Secret

Adjust generally advises against reactivating App Secrets. It should only be done if: 

  • The App Secret was deactivated accidentally
  • You notice anomalies in your traffic (e.g., a significant and unaccountable drop in installs) after deactivating an App Secret

To view a deactivated App Secret, check the Show deactivated secrets box. Then use the power icon to reactivate it. Your reactivated App Secret will appear within your active list of App Secrets and will retain its original App Secret ID.

Reactivating an App Secret takes immediate effect. Installs rejected during deactivation are not retrospectively added to your historical dashboard data; all installs rejected during deactivation will remain rejected. 

View your statistics

To view your App Secret statistics in the dashboard, follow these steps. 

  1. Find your app and select your app options caret (^)
  2. Select All Settings > SDK signature
  3. Select VIEW SECRET STATS

On the left-hand side of the graph are your App Secrets. You’ll also see Invalid Secret and No Secret (if any occurred). 

  • Select an App Secret to drill-down and see installs by country or tracker
  • To add an App Secret’s data to the graph, hover over it and select the plus icon (+)
  • To remove an App Secret’s data from the graph, hover over it and select the minus icon (-)

The graph’s solid line represents accepted installs, and the dotted line represents rejected installs. Moving your cursor over the graph lets you see the values for a certain point in time.

Note: Installs that occur while your app’s Adjust SDK is running in the sandbox environment do not display in this graph.
Deactivating an App Secret may be necessary if you suspect an internal data breach. Only analysts should decide when to deactivate an App Secret; you can reactivate a deactivated App Secret at any time.

Grouping (hour, day, week, or month)

Use the grouping filter to alter how many data points appear on your graph. The options available differ depending upon the time frame you have selected.

Selecting Hour provides a data point for every hour of your selected timeframe. This is useful to see how user activity changes depending on the time of day.

By contrast, selecting Month will provide just one data point for every month of your selected timeframe. This provides a broader look at changes in your install activity over time.

Linear or logarithmic

A linear view gives equal weight to data ranges, meaning they take equal amounts of your graph’s y-axis. If you have more activity in the lower ranges than in the upper ranges, the bottom of your graph can be hard to decipher as it is more condensed.

A logarithmic view gives each data range half the space of the data range below it. This means moving up the y-axis each range has progressively less space. Although this provides more space for the lower ranges, it can be misleading.

FAQs

What is a digital signature? 

A digital signature is a mathematical scheme used for authenticating digital messages or documents. By design, a digital signature indicates that a message was submitted securely and that no data was compromised during transmission.

What is an App Secret?

An App Secret is a set of five integers. Adjust uses this value to hash key data points when sending SDK traffic to Adjust’s servers, where Adjust can verify the legitimacy of the installs based on this hash value. The App Secret is instrumental in computing the SDK Signature and only the plain text format (as exported from your Adjust dashboard) can be used to derive it.

What is the difference between an invalid and a missing signature?

A signature is invalid if it does not match the signature Adjust calculates based on your App Secret. This includes fraudulent signatures and signatures calculated from deactivated App Secrets.

A missing signature is when an app install contains no signature whatsoever. Installs without a signature are rejected if the SDK Signature is enforced.

How can I receive rejected install activity from Adjust?

Receive notifications about rejected installs for an invalid or missing SDK Signature via real-time callback or CSV upload. 

Note: You can only receive callbacks for rejected installs and reattributions if you are using our Fraud Prevention Suite.

Set up real-time callbacks

  1. Find your app and select your app options caret (^)
  2. Select All Settings > Raw Data Export > Real-Time Callbacks
  3. Select Edit (pencil icon) beside rejected install or rejected reattribution
  4. Enter your callback URL and append a key-value pair for the rejection reason
    1. Enter a key of your choosing; this can be customized to your server setup
    2. The value should be {rejection_reason}
    3. Example: rejected_install_reason={rejection_reason}
  5. Select UPDATE

If an install or reattribution has been rejected due to an invalid or missing SDK Signature, you see this in your callback. 

Example: rejected_install_reason=Invalid+signature

Set up CSV uploads

  1. Find your app and select your app options caret (^)
  2. Select All Settings > Raw Data Export > CSV Upload
  3. Select Select Events for Export
  4. Check rejected install and/or rejected reattribution
  5. In CSV DEFINITION add the {rejection_reason} placeholder
If a rejected install or rejected reattribution event occurs, it will appear in your CSV file upload with the {rejection_reason} column containing Invalid+signature.

On this topic