Set up SDK Signature
Adjust’s SDK Signature protects you from SDK spoofing. This occurs when fraudsters send fake requests to the servers of attribution companies and app publishers.
The Adjust SDK communicates with Adjust’s servers using encrypted communication channels, that is, HTTPS. However, this data can be intercepted and read by fraudsters to then generate illegitimate installs and subsequent activity.
To combat this problem, the Adjust SDK submits a unique digital signature with each incoming install request. This lets our servers verify the validity of every reported install and reject fraudulent install activity.
With the Adjust SDK Signature enforced, you can be confident in the accuracy and security of your attribution dataset.
When the Adjust SDK sends information to Adjust's servers, the information is encrypted using TLS (Transport Layer Security), an industry standard encryption protocol for web traffic. While TLS prevents bad actors from reading your information, it doesn't prevent them from sending fraudulent install or event data to your app endpoint.
By adding a cryptographic signature to the data the SDK sends, you can ensure that Adjust's servers reject any information being sent by another party. The server checks all requests to ensure they have a valid signature. Any information that isn't signed is rejected, ensuring that you only receive valid information.
Here's what you need to know before getting started.
- SDK signature is available to all Adjust customers.
- To implement an SDK Signature in your app, contact your Technical Account Manager or firstname.lastname@example.org
This feature requires Adjust SDK v4.12 and later.
When you set up the SDK Signature, each SDK communication package is "signed". This lets Adjust’s servers easily detect and reject any install activity that is not legitimate.
You need to contact your Technical Account Manager or email@example.com to set up the SDK signature for your app.
Before enforcing the SDK Signature, all installs are accepted. Once you enforce SDK Signature, Adjust servers immediately reject all install requests that do not carry the unique Signature or carry an invalid Signature.
Once you have implemented the SDK Signature, incoming installs will carry a unique Signature that the Adjust server uses to verify the validity of incoming install requests. It is recommended that you wait for approximately 2 attribution windows before enforcing the Signature.
Example: With Adjust's default 7-day window, you should wait for 14 days before enforcing the SDK Signature. This allows a user who previously downloaded your app, but only just opened it, to still be credited with an install — despite not carrying the signature.
To enforce the signature, follow these steps.
- Under AppView, select All apps.
- Select your app.
- Select the Protection tab.
- Under the SDK Signature section, select Open SDK Signature.
- Turn on the Enforce SDK Signature toggle.
Old App Secrets that are no longer in use and that relate to outdated versions of your app should be deactivated. Reach out to your Technical Account Manager or to firstname.lastname@example.org to proceed with a deactivation request.
Adjust recommends deactivating an App Secret if:
- It is no longer contributing to your install reporting.
- If you have fully released a new version of your app (across all app platforms and stores).
- You suspect an internal data breach and that your App Secret has been disclosed to outside parties.
Deactivating an App Secret takes immediate effect. When the SDK Signature is enforced, app installs reported with a deactivated App Secret are rejected and categorized under Untrusted Devices. Adjust will continue to track sessions and events for these devices, but this information will be visible in your dashboard or reports if you are using the Adjust Fraud Prevention Suite.