Data Privacy and Security
5 Tips for a Secure, Effective Braze Implementation
If you’ve ever been tasked with implementing a new marketing technology on your app or website, then you know just how important it is to ensure that you’re making sound technical decisions from the very beginning. The fact is, some of the early decisions that engineering teams have to make as part of the implementation process can be painful to shift later, or even irreversible (i.e. which user ID gets sent downstream to other systems), so proceeding with care can do a lot to avoid chronic issues and ensure that your integration can do what you need it to.
To help out as you go through that process, we’ve put together a collection of five practical tips that can support an easier, more secure Braze implementation now and for years to come.
1. Choose a Secure and Reliable User ID
Today, it’s normal for consumers to use multiple devices—from laptops and mobile phones to smart watches and over-the-top (OTT) media platforms like Roku or Apple TV—in the course of a single day. For brands, this multi-device, multi-platform reality has made pulling together a holistic view of each users’ engagement an essential part of modern marketing, something that’s often easier said than done.
In Braze, we support this effort by consolidating and merging users across devices and platforms based on the known user ID ("External ID") that your company provides. That allows our customers to carry out cross-device personalization, messaging, and reporting, to support a more cohesive, relevant brand experience wherever their users are engaging.
Given that, choosing an appropriate ID for your users is a critical decision point, one that has the potential to impact your future integrations and the customer experience you provide. This user ID is required any time you’re using our REST API, or when it’s exported—via our Braze Currents high-volume data export feature—to help you use or reconcile Braze data in your other systems, so it needs to be available to the various platforms and software development kits (SDKs) you integrate. So when you’re choosing an identifier, keep these two key principles in mind:
Don’t Use an Easily Guessable Identifier
When you set a current user’s ID (using changeUser) within the Braze platform, our SDKs will automatically request the relevant in-app messages and Content Cards associated with that specific user. That makes it important to ensure that the IDs you use for each user aren’t easily predicted by individuals outside your organization, given the potential data that is exposed.
To avoid tempting hackers and other bad actors, we recommend that you refrain from using external IDs that can be easily guessed by outsiders. That includes auto-increment IDs from your internal databases, public user names that can be found on a user’s profile page, email addresses, or phone numbers. If you’re interested in adding a second layer of security, Braze strongly recommends implementing our platform’s SDK Authentication feature, which we’ll discuss later in this article.
Don’t Use Email Address As an Identifier
I know we just mentioned that using a logged-in user’s email address as their external ID in Braze is a bad idea, but it bears repeating: Seriously, don’t use it!
Using email addresses in this way is a common instinct among brands, but it opens you up to future complications and risks beyond simply being easy for outsiders to guess. For one thing, email addresses are commonly found in breached databases, making them even easier for hostile entities to identify the IDs you’re using.
Another issue? You can’t assume that the email address an individual is using will necessarily be the address they use throughout their tenure as a customer. And while the Braze platform does have an External ID Migration API that will allow you to change their external ID if this situation arises, you’ll likely need days or weeks of engineering resources to resolve the issue.
2. Secure Your Implementation Using SDK Authentication
Our SDKs make it possible for our customers to collect detailed data about user attributes and their engagement within a given brand’s mobile app, website, connected TV app, and more within Braze. That makes it possible for our customers to gather data across different platforms in real time, segment their audience in a responsive way, and create, trigger, and deliver campaigns and individualized customer journeys.
But with SDKs playing such a key role in supporting our customers’ engagement efforts, making sure they’re able to do so in a secure way is essential. Brands that fail to secure their SDKs can open themselves up to impersonation attacks on their audience, where a malicious hacker could potentially change your users' preferences or read their sensitive messages. Our SDK Authentication feature, which functions like two-factor authentication for your SDK, is designed to keep your SDKs secure. With SDK Authentication, you can configure each Braze App to require proof that the current user’s ID is authentic and not being impersonated by someone else.
How SDK Authentication Works
In general, when a user logs in, your app will fetch their information—such as their profile picture, session tokens, permissions, feature flags, etc. Accordingly, to use SDK Authentication, all you need to do is generate a JSON Web Token (JWT) Signature using a private key, and then return that signature along with the existing profile info for that user.
Once that happens, our SDKs can take the JWT Signature and forward it along with every related request. That allows us to validate the signature against the public key that you’ve uploaded into the Braze dashboard, adding a significant new layer of security to the process.
The Benefits of SDK Authentication
By enabling SDK Authentication, your brand can control whether or not a given request being made to Braze should be rejected. Once you’ve set it up, the Braze platform will begin monitoring SDK traffic on your behalf, automatically accepting or rejecting requests based on your criteria, and providing real-time graphs that show the number of invalid requests. That, in turn, will prevent individuals from impersonating users with the external ID that you’ve configured.
Getting Started With SDK Authentication
To learn more about Braze SDK Authentication and to kick off the process of implementing, check out our SDK Authentication documentation page.
3. Stay Up To Date on SDK Versions
This recommendation is simple, but it’s something that top-performing brands get right—namely, ensuring that your organization has a plan to stay up to date when it comes to the SDK versions you’re using. Accomplishing that will help to ensure that your app or website is able to make the most of the Braze platform and stay ahead of tomorrow’s security challenges; plus, failing to do so can limit your ability to take advantage of new features or to respond to time-sensitive changes in the technology landscape.
By updating your SDKs, your brand can unlock the newest features that our engineering teams have worked on, as well as key bug fixes and performance improvements. Plus, ensuring that you’re up to date when it comes to your Braze SDKs makes it significantly easier to troubleshoot any issues you might have with your integration with our award-winning technical support team.
At Braze, we understand that every SDK update takes time away from other work your team could be working on. To streamline things, we’ve moved to Semantic Versioning for our SDKs to make it easier to understand the effort involved with each update. We're also making meaningful updates to our core SDKs, like supporting "tree shaking" for the web, migrating from Java to Kotlin on Android, and releasing a brand new Swift iOS SDK in the upcoming weeks.
4. Use a Tag Manager for Maximum Flexibility
Looking to quickly deploy changes without having to wait weeks or months to secure valuable development resources? One smart way to make that possible is to take advantage of a tag manager. These tools have been the saving grace of many a marketing team and Braze has made a point of integrating with all the top tag managers, including Google Tag Manager, Segment, mParticle, and more. Three key benefits include:
Supporting Flexible Updates by Marketing Teams
By using a tag manager, your team will be able to make SDK updates more quickly—and, in some cases, you may be able to carry them out without requiring engineering resources. That will make it easier and faster to get access to new features and implement bug fixes and other improvements. Plus, leveraging a tag manager makes it possible to turn different Braze custom events on and off when necessary in order to avoid extraneous data collection.
Allowing More Generic Implementations
If you implement Braze on your app or website alongside other marketing technologies, it’s often possible to benefit from a single generic implementation that uses an existing Data Layer. The upshot? Your marketing team can potentially trigger Braze messaging using existing events without requiring updates in connection with each new marketing campaign.
For example, rather than adding new "purchase tracking" code for each of your third-party vendors, you can instead tell your tag manager that a purchase event occurred, and let it fan out requests to all the tools you're integrated with.
Integrating with Privacy and Consent Management Platforms
Another benefit of tag managers is that they make it easier to integrate with Privacy and Consent Management Platforms. That capability, alongside Braze SDKs, makes it easy to deploy certain types of data collection only when a user consents, especially on websites where cookie and consent banners are widely used. By providing more granular control over what data is and isn’t collected, marketers can often reduce the engineering burden associated with consent management.
5. Leave Feedback for the Braze SDK Engineering Team
At Braze, our product, design, and engineering organization strives to make implementing and leveraging the Braze platform as straightforward as possible. That said, the mobile, web, and overall digital ecosystem is constantly growing and changing, and any feedback that you and your team have for us is always welcome. In particular, if you have thoughts on how we could improve our SDKs or make other changes that would make developers’ lives easier, feel free to use our Public Roadmap Portal to leave feedback directly with our Product Engineering teams to review or to post in our Braze Bonfire Slack community.
No one can predict the future. But by taking the time to think through and prepare for your Braze implementation before it gets underway, you can avoid potential pitfalls and set yourself and your team up to achieve your business goals.
Curious what's next for Braze SDKs? Check out our 2022 Spring Product Release for more information on the release of next generation SDKs for Android, iOS, and web.
David is a product manager based out of NYC, and works to make our Braze SDKs easy to integrate across our growing number of platforms and channels. Outside of work, you can find David answering support emails for his startup, www.nerdydata.com.