We added an option to use encrypted SDK_IDs when sending events via the Web SDK, iOS SDK or Android SDK, to gain an extra level of security. This will prevent other people from sending irrelevant/rogue events to us using plaintext SDK_IDs (this can be used to generate blasts of event calls that will result in actual campaigns, for example).
This functionality applies only to SDK_IDs that are generated on the server side. It does not apply to VisitorIDs that are generated on the client side.
In order to implement:
- You must have either Optimove Web SDK, iOS SDK or Android SDK implemented
- Request an encryption key from the Optimove Product Integration Team
- Implement SDK_IDs encryption on the customer server side, as shows in the encryption examples:
- Before encryption, the SDK_IDs length supports up to 90 characters only.
- The encrypted SDK_ID must be in a string format.
- Any encrypted SDK_ID that does not correspond to your Optimove unique identifier (Customer ID) due to faulty / unrecognized SDK_IDs will now be excluded from your customer tracked activity. Therefore please make sure that the encrypted SDK_ID sent via the SDK is a recognizable ID.
- You can use additional server-side programming languages. The above are only examples.
- Pass the encrypted SDK_IDs into the setUserId() function in Web SDK, iOS SDK or Android SDK
- Optimove will perform the decryption and process the events
The encryption method we use:
- Authenticated encryption using CBC encryption with initialization vector and HMAC for the authenticating the message.
- HMAC – Hash-based message authentication code