SDK Signature library integration

Adjust’s SDK Signature library is designed to be a standalone plugin for the Adjust SDK. This means you don’t need to change any of your code or change how you use the Adjust SDK in your app. Once you install the plugin, all requests made by the Adjust SDK will continue to work as expected.

Before you begin

To integrate the Signature library into your Android app, ensure the following:

The Android API version in use is 21 or greater.
The Adjust SDK version in use is 4.38.2 or greater. This requirement applies even when the Adjust SDK is used indirectly.
If you use Proguard, you must use the exact same Proguard configuration for both the Signature library and the Adjust SDK.

Migrating from Signature v1 or v2 library

If you previously used Signature v1 or Signature v2, you first need to remove the previous version before integrating the Signature library. To do this:

If you previously integrated Signature v1, remove any code that calls to signature functions in your project.
If you previously integrated Signature v2, remove the Signature v2 library from your project.

The Signature libraries are released on GitHub and are propagated to Maven from version 3.20.1 onwards. To add the Signature library to your project, append the following to your app-level build.gradle (change the version with the latest available):

1
dependencies {
2
   implementation 'com.adjust.signature:adjust-android-signature:x.x.x'
3
}

Alternatively, the Beta releases are available on Maven from version 3.24.1 onwards. To add the Signature library to your project, append the following to your project-level and app-level build.gradle respectively (change the version with the latest available):

1
repositories {
2
        maven {
3
            url "https://oss.sonatype.org/content/repositories/snapshots/"
4
        }
5
...

1
dependencies {
2
   implementation 'com.adjust.signature:adjust-android-signature:x.x.x-SNAPSHOT'
3
}

That’s it! The Signature library is now integrated into your project. Follow the steps in the next section to configure your digital certificates in the Adjust suite.

Fetch from GitHub the latest Stable or Beta version.
Create a new libs directory inside your app module directory.
Copy the provided AAR library into the libs directory.

A screenshot of the directory in Android studio

Open your app-level build.gradle file and add the following:

1
android {
2
   defaultConfig {
3
      ndk.abiFilters 'armeabi-v7a','arm64-v8a','x86','x86_64'
4
   }
5
}
6

7
dependencies {
8
   implementation files('libs/adjust-lib.aar')
9
}

Select Sync Now in the Android Studio popup to synchronize your changes.

That’s it! The Signature library is now integrated into your project. Follow the steps in the next section to configure your digital certificates in the Adjust suite.

Set up your certificates in the Adjust suite

Once you integrate the Signature library into your app, all requests sent by the Adjust SDK to Adjust are signed. The Adjust SDK will also transmit relevant information to Adjust’s servers, including the fingerprint of your signing certificate.

A certificate fingerprint is a cryptographic hash of the public information held within a certificate. It can be used to verify the authenticity of an app.

The Signature library can’t verify the authenticity of your certificate fingerprints. The fingerprints need to be added to an allowlist in the Adjust Suite in order for requests containing them to be accepted by Adjust as authentic. To do this, you need to retrieve the certificate fingerprints and send them to Adjust.

Follow these steps to retrieve and configure your certificate fingerprints:

Test your app

You can verify you have integrated the Signature library into your app using the Adjust Testing Console.

To test your Signature library integration:

Fully delete your app from the test device to ensure the install information is sent.
Forget the device using the Testing Console to clear out all information relating to the device. You can also use the forget_device endpoint by passing your app token and the advertising ID you obtained from the Adjust Insights app. You can use any of the following advertising IDs: adid, android_id, gps_adid, imei, oaid.

The call looks like this:
Terminal window
```
1
$ curl -X POST 'https://app.adjust.com/forget_device?app_token={yourAppToken}&id={adid}'
```
Once you’ve cleared the device from the Testing Console, install the app on your test device and launch it to send install information to Adjust.
Input the test device’s advertising ID into the Testing Console to fetch the install event information. Check the following:
1. The SignatureVerificationResult field should show a value of Valid Signature
2. The SignatureVersion field should show a value of 3

If these fields are present and contain the correct information, you have successfully integrated the Signature library. If the fields display any other values, review the integration steps again or contact support@adjust.com for further assistance.

That’s it! You’ve successfully integrated the Signature library into your app. Once two attribution windows have passed, you can enforce SDK signature validation to make sure that only signed requests are accepted by Adjust.

Updating the Signature Library

Updating the Signature library consists of removing the existing library, integrating a newer version and rerunning your tests. You don’t need to make any immediate changes to your app logic or settings in Adjust. Remember to deactivate your secret IDs if they meet the following criteria:

They’re no longer contributing to your install reporting.
You’ve fully released a new version of your app (across all app platforms and stores).