The Adjust SDK submits a digital signature (computed from an App Secret), to validate installs and protect your dataset from spoofed traffic. Once you have created an App Secret within your Dashboard and implemented it into your Adjust SDK, our Adjust servers will effectively verify the legitimacy of every reported install. With the Adjust SDK Signature, you can be confident that your attribution dataset is accurate and secure.

Notes:

  • This is an opt-in feature: it does not appear in your Dashboard automatically. If you are interested in implementing an SDK signature in your app, contact your account manager or support@adjust.com.
  • This feature requires you to have Adjust SDK version 4.12 or later integrated into your app

1How to create an App Secret

Instructions

In the Adjust Dashboard

  1. Navigate to your app and select your app options caret (^) 2. Select All Settings > SDK Signature
  2. Select CREATE NEW APP SECRET (at the bottom of the module) to generate an App Secret
  3. (Optional) Enter a name for your App Secret in the Name App Secret field
    • Recommended: enter the app version containing the App Secret and the app store name
  4. (Optional) Enter your developer’s email address and press return to directly send the App Secret for implementation within your app. This email will contain the app token, App Secret, and App Secret version, along with a link to the necessary SDK documentation.
  5. Select SAVE CHANGES

Your new App Secret will appear in the list of App Secrets. Each App Secret is assigned a Secret ID, numbered in chronological order, starting at 1.

You can edit the name of an App Secret at any time by selecting the edit (pencil) icon beside the App Secret.

Note: Before the App Secret becomes effective, your app developer must integrate it into your app’s Adjust SDK

2How to integrate an App Secret into your Adjust SDK

Once you have created an App Secret, it must be integrated into the Adjust SDK before app store submission.

Developer instructions can be found in the following GitHub repositories:

3How to deactivate an App Secret

Deactivating an App Secret may be necessary if you suspect an internal data breach. Only analysts should decide when to deactivate an App Secret; you can reactivate a deactivated App Secret at any time.

Instructions

In the Adjust Dashboard

  1. Navigate to your app and select your app options caret (^)
  2. Select All Settings > SDK Signature
  3. Select the deactivate (power) icon beside the App Secret you want to deactivate
  4. Select DEACTIVATE

Deactivating an App Secret takes immediate effect.

Any app install reported with a deactivated App Secret will be rejected and categorized under Untrusted Devices. Adjust will continue to track sessions and events for these devices, but this information will only be visible in your Dashboard reporting if you are using the Adjust Fraud Prevention Suite.

4How to reactivate an App Secret

App Secrets should rarely be reactivated, and only when absolutely necessary—e.g., when you have accidentally deactivated an App Secret or you are noticing inexplicable anomalies in your traffic after deactivation.

Instructions

In the Adjust Dashboard

  1. Navigate to your app and select your app options caret (^)
  2. Select App Settings > App Secrets
  3. Check Show deactivated secrets
  4. Select the activate (power) icon beside the inactive App Secret that you want to reactivate

Your reactivated App Secret will appear within your active list of App Secrets. All reactivated App Secrets retain their original App Secret ID.

Reactivating an App Secret takes immediate effect. Installs rejected during deactivation are not retrospectively added to your historical Dashboard data; all installs rejected during deactivation will remain rejected.

5Best Practices

While App Secrets offer a high degree of flexibility, we’ve outlined our recommendations for their most effective use.

5.1App Secret name

When entering a name for your App Secret, we advise including the related version of your app and the relevant app store.

Example: version 2.3-Play Store

5.2When to create an App Secret

We advise creating an App Secret for every app version you release. We also recommend generating individual App Secrets for different platforms (e.g., iOS, Android, etc.) and stores (e.g., Google Play Store, Amazon app store), and for pre-install campaigns.

5.3When to deactivate or reactivate an App Secret

Note: Only analysts should determine when to deactivate or reactivate an App Secret; this should not be an app development decision.

Deactivating an App Secret

Adjust recommends deactivating an App Secret if it is no longer contributing to your install reporting or if you have fully released a new version of your app (across all app platforms and stores). Otherwise, you could be missing considerable data from your Dashboard reporting and callbacks.

App Secret deactivation is also recommended in the instance that you suspect an internal data breach: if your App Secret has been disclosed to outside parties, it should be deactivated.

Reactivating an App Secret

In general, we advise against reactivating App Secrets. It should only be considered if:

  • The App Secret was deactivated accidentally, or;
  • You are noticing anomalies in your traffic (e.g., a significant and otherwise unaccountable drop in installs) after deactivating an App Secret

6SDK Signature enforcement

By default, SDK Signature enforcement is OFF for all new apps.

SDK Signature enforcement requires installs to have a valid, active App Secret: installs submitted with an invalid or deactivated App Secret will be rejected. Any install submitted without a App Secret (i.e., all earlier app versions) will also be rejected.

Since disabling SDK Signature enforcement allows Adjust to accept installs submitted without an App Secret, user discretion is advised. The SDK Signature enforcement setting only affects installs submitted without an App Secret: installs reported with invalid or deactivated App Secrets will always be rejected, regardless of this setting.

7How to view your App Secret statistics

Instructions

In the Adjust Dashboard

  1. Navigate to your app and select your app options caret (^)
  2. Select All Settings > SDK signature
  3. Select VIEW SECRET STATS

8What you will see in your App Secret statistics

On the left side of the graph, you will see your App Secrets, including Invalid Secret and No Secret, if any such install attempts have been reported. Hover over an App Secret and you can select the plus icon (+) to add that App Secret’s data to the graph. To remove an App Secret’s information from the graph, hover over its name in the left-hand section or above the graph and select the minus icon (-).

On the graph, the solid line represents accepted installs, and the dotted line represents rejected installs.

Please note: Installs that occurred when your app’s Adjust SDK was running in the sandbox environment will not display in this graph.

Moving your cursor over the graph will allow you to see the values for a certain point in time. The date of your current position is displayed directly above the graph, and the value for that point appears next to the colored keys above the date. Hover over one of these sections to isolate the line on the graph.

Select an App Secret in the left-hand section to see its installs broken down by country.

8.1Grouping (hour, day, week, or month)

Located above the graph, this filter allows you to alter how many data points appear on your graph. The options available to you will differ depending on the timeframe you have selected, but there are four in total: Hour, Day, Week, and Month.

By selecting Hour, there will be a data point on the graph for every hour of your selected timeframe. This can be useful if you wish to see how user activity changes depending on the time of day.

At the other end of the scale, selecting Month will provide just one data point for every month of your selected timeframe. This provides a more general look at changes in your install activity over broader expanses of time.

8.2Linear or logarithmic

This filter affects your graph’s y axis display. If you select linear, equal weight will be given to data ranges, meaning they occupy equal amounts of your graph’s y axis. The downside to this view is that, if you have a lot of activity in the lower ranges and little in the upper ranges, it can be hard to tell what is happening at the bottom of your graph, as it appears more condensed.

By selecting logarithmic, each data range will be provided with half the space of the data range below it, so, as you move up the y axis, each data range is provided with progressively less space. This helps to provide more space for the lower ranges to really shine.

Do note that a logarithmic y axis can be misleading, as your lower and upper ranges can appear much closer together than they really are. By switching between the two options, you can develop a full understanding of the data represented.

9FAQs

9.1What is a digital signature?

A digital signature is a mathematical scheme used for authenticating digital messages or documents. By design, a digital signature indicates that a message was submitted securely and that no data was compromised during transmission.

9.2What is an App Secret?

An App Secret is a set of five integers. Adjust uses this value to hash key data points when sending SDK traffic to Adjust’s servers, where Adjust can verify the legitimacy of the installs based on this hash value. The App Secret is so instrumental in computing the SDK Signature that only the plain text format (as exported from your Adjust Dashboard) can be used to derive it.

To be most effective, we recommend creating a new App Secret for:

  • Different platforms (e.g., iOS, Android, etc.) and stores (e.g., Google Play Store, Amazon app store), and;
  • Every new app version release

9.3How do I implement an App Secret?

Once you have created your App Secret, submit it and the App Secret ID to your developer for implementation. Instructions are listed within the relevant Adjust SDK README.

9.4How will this data appear in my Dashboard?

App Secret performance can be reviewed in your App Secret statistics, detailed above.

Rejected installs will appear in the fraud view of your Dashboard statistics. Installs rejected for having an invalid signature are listed under Untrusted Devices > Invalid Signature. If you are not currently using the Adjust Fraud Prevention Suite, then rejected installs will not be visible in your Adjust reporting.

9.5What is the difference between an invalid and a missing signature?

A signature is invalid if it does not match the signature Adjust calculates based on your App Secret. This includes fraudulent signatures and signatures calculated from deactivated App Secrets.

A missing signature is when an app install contains no signature whatsoever. Installs without a signature will only be rejected if SDK Signature enforcement is on.

9.6How can I receive rejected install activity from Adjust?

If an install is rejected for an invalid or missing SDK Signature, you can be notified via Adjust’s real-time-callback system or our Amazon S3 bucket integration. Append a {rejection_reason} placeholder to a rejected install or rejected reattribution callback to receive the reason for a rejected install or reattribution, or add {rejection_reason} to your Amazon S3 bucket CSV definition.

Note: You can only receive callbacks for rejected installs and reattributions if your are using our Fraud Prevention Suite.

Instructions

In the Adjust Dashboard

  1. Navigate to your app and select your app options caret (^)
  2. Select All Settings > Raw Data Export > Real-Time Callbacks
  3. Select the edit (pencil) icon beside rejected install or rejected reattribution
  4. Enter your callback URL and append a key-value pair for the rejection reason:
    • Enter a key of your choosing; this can be customized to your server setup
    • The value should be {rejection_reason}
    • Example: rejected_install_reason={rejection_reason}
  5. Select UPDATE

If an install or reattribution has been rejected due to an invalid or missing SDK Signature, you will receive, e.g., rejected_install_reason=invalid_signature through your callback.

Note: Missing signatures are only rejected when SDK Signature enforcement is on.

Instructions for Amazon S3 bucket exports

In the Adjust Dashboard

  1. Navigate to your app and select your app options caret (^)
  2. Select All Settings > Raw Data Export > CSV Upload
  3. Select Select Events for Export
  4. Check rejected install and/or rejected reattribution
  5. In your CSV DEFINITION, include the {rejection_reason} placeholder

If a rejected install or reattribution event occurs, it will appear in your CSV file upload with the rejection_reason column containing invalid_signature.

9.7Why should I opt-in to App Secrets and signatures for SDK traffic?

Although the Adjust SDK communicates with Adjust’s servers (using encrypted communication channels, i.e., HTTPS), this data can be intercepted and read by fraudsters. The information acquired in such an “attack” can then be used to generate illegitimate installs.

This is where our SDK Signature scheme comes to the rescue. The way our SDK computes a signature from the App Secret, (a value only known by the app publisher and Adjust), allows our servers to verify the legitimacy of all incoming installs.

If a fraudster tampers with important data (e.g., install time or device-specific identifiers) submitted during an install then our servers will detect this and reject the install.