SDK Signature
- What is digital signature?
- What is app secret?
- How can I implement a app secret?
- How do SDK signature data appear in my dashboard?
- What is the difference between an invalid signature and a missing signature?
- How can I find out about fraud installations in Metrix tracker?
- Why should I choose an app secret and signature for SDK traffic?
A digital signature is a mathematical model used to validate digital messages or documents. In terms of design, a digital signature indicates that the message has been transmitted in complete security and that no information is exposed during the transfer process. When a message is sent from an insecure channel, if a digital signature used correctly, it can be a valid guarantee for the recipient to believe the sender's claim. In other words, the recipient through digital signature can ensure that the sender has signed the document and that the message is not fake.
App secret means a set of 5 numbers that Metrix uses to encrypt crucial and private data when sending SDK traffic to the Metrix server; That is where Metrix can verify the correctness of the installations based on this encrypted value. The important thing about the app secret is that this parameter must be used in plain text format (exactly the same as you get from the Metrix dashboard).
To be more effective, we recommend creating a new secret for each of the following:
- Different platforms (iOS, Android, etc.)
- Release any new version of the application
Once you have created your app secret, give it to your team developer with the app secret ID to perform the implementation. Read the implementation instruction from the documentation section.
Fraud installations are displayed in the Fraud Preventions section of your dashboard. Installations that are rejected due to having an invalid signature appear under untrusted devices > invalid structure.
A signature is invalid when it does not match the signature that Metrix calculates based on your app secret.
But the missing signature is when an application installation arrives on the server without any signature. Unsigned signatures will only be rejected if the SDK Signature Enforcement option is enabled.
If an installation is found to be fraud due to an invalid or missing SDK signature, you can be notified via the Metrix real-time callback system. Add {rejection_reason} to your fraud installation callback to get the reason for a fraud installation or re-attribution.
Follow the method below to receive real-time calbacks:
In the Metrix dashboard:
-
Go to your app and open your app options
-
Select Settings -> callbacks
-
Select the edit icon next to rejected install
-
Enter your URL and add a pair of values as a key for rejection reason
a. Enter a key of your choice: This key can be customized to your server settings
b. The desired value must be {rejection_reason}
c. Example: rejected_install_reason = {rejection_reason}
-
Select the update option.
If an installation is rejected or considered fraud due to an invalid or missing SDK signature, you will receive the following message via callback:
rejected_install_reason=invalid_signature
Note: Missing signatures will only be rejected if the option SDK Signature Enforcement is enabled.
Although the Metrix SDK communicates with Metrix servers using encrypted communication channels such as HTTPs, this data can be edited and read by fraudsters. This information extracted during an "attack" can be used to create fraud installations.
This is where the Metrix SDK signature comes in. The way the Metrix SDK calculates a signature based on the app secret (a value that is only available to the app publisher and Metrix) allows Metrix servers to verify all future installations.
If the offender steals important data (such as installation time or device IDs) that is sent during an installation, Metrix servers will identify them and treat the installation as a fraud installation.
In Metrix blog, we have introduced the SDK signature feature. Read the following link: