Privacy-preserving attribution in use or tracking fully disclosed

Privacy-preserving attribution via SKAdNetwork (external apple-skadnetwork) allows iOS ad campaigns to measure install effectiveness without requiring individual user tracking. Apps that have ad SDKs but neither SKAdNetwork configured nor ATT properly implemented are relying on IDFA-based cross-app tracking with no fallback — meaning they generate zero attribution data for the majority of users who deny ATT consent (typically 60–80% on consumer apps). This is both a compliance gap (GDPR Art.25 data protection by design, CCPA §1798.120) and a business problem: campaigns cannot be measured for most of your iOS users.

Add SKAdNetworkIdentifiers for your ad networks to Info.plist. Each ad network publishes its own identifier:

<key>SKAdNetworkItems</key>
<array>
  <dict>
    <key>SKAdNetworkIdentifier</key>
    <string>cstr6suwn9.skadnetwork</string>
  </dict>
</array>

For GDPR contexts, integrate the Google UMP (User Messaging Platform) SDK before initialising AdMob in EU contexts. SKAdNetwork attribution works for all users regardless of ATT status — it is the recommended baseline. If you also read IDFA for full tracking, ensure ATT is properly implemented as a separate layer on top.

• ID: app-store-privacy-data.tracking-advertising.privacy-preserving-attribution
• Severity: medium
• What to look for: Check whether the app uses privacy-preserving attribution mechanisms. For iOS: look for SKAdNetworkItems in Info.plist or app.json — this is the privacy-preserving attribution framework Apple recommends. Count the network entries. For Android: look for Privacy Sandbox (Topics API, Attribution Reporting API) references, or PrivacySandboxSdk in build.gradle. If neither is present but ad SDKs ARE present, this suggests the app relies entirely on IDFA-based cross-app tracking (which requires ATT). Look for: SKAdNetwork.registerAppForAdNetworkAttribution() call in the app; ad SDK initialization documentation for whether the SDK defaults to SKAdNetwork. Also check for Google's ConsentDebugSettings (UMP SDK) presence, which indicates proper GDPR/consent management for European users. Note: this is not a pass/fail on whether privacy-preserving methods are used — it flags if the app has ad SDKs but NO privacy-preserving approach and relies entirely on full tracking.
• Pass criteria: App either uses privacy-preserving attribution (SKAdNetwork, Privacy Sandbox) OR uses full IDFA-based tracking with proper ATT consent and full disclosure in nutrition labels. At least 1 implementation must be verified. Either approach is valid when properly implemented.
• Fail criteria: App has ad SDKs but has neither privacy-preserving attribution configured nor ATT properly implemented — suggesting it relies on IDFA without consent infrastructure.
• Skip (N/A) when: No advertising or attribution SDKs detected.
• Detail on fail: "AdMob and AppsFlyer detected but no SKAdNetworkItems in Info.plist and ATT implementation is incomplete — app appears to rely on IDFA without proper consent or fallback" or "No SKAdNetworkIdentifiers configured — App Store attribution will not function for campaigns if ATT is denied"
• Remediation: Privacy-preserving attribution allows your ad campaigns to measure effectiveness without requiring users to consent to tracking.
  1. Add SKAdNetworkIdentifiers for your ad networks to Info.plist:

     <key>SKAdNetworkItems</key>
     <array>
       <dict>
         <key>SKAdNetworkIdentifier</key>
         <string>cstr6suwn9.skadnetwork</string> <!-- Google -->
       </dict>
     </array>
     

  2. Each ad network publishes its own SKAdNetworkIdentifier — check their documentation
  3. For GDPR compliance, integrate the Google UMP (User Messaging Platform) SDK before initializing AdMob in EU contexts