A practical overview of mobile attribution in a privacy-first world, covering Apple’s SKAdNetwork, Google’s Privacy Sandbox and Attribution Reporting API, and the shift from deterministic to probabilistic measurement.
As privacy has become paramount, the paradigm of mobile attribution has changed dramatically. In the past, clear measurement was possible via advertising identifiers such as IDFA and GAID; in today’s world, which prioritizes user privacy, deterministic user identification is no longer feasible.
This article explains the privacy frameworks that define the mobile environment—Apple’s SKAdNetwork (SKAN) and Google’s Privacy Sandbox—and explores how to obtain mobile attribution probabilistically.
In the 1970s, Detroit car salesman Joe Girard sold 13,001 cars over 15 years and was listed in the Guinness Book of World Records as “the world’s greatest salesman.”
His success wasn’t based on the art of selling cars, but on a system that constantly generated customers. He called the people who referred potential buyers to him “bird dogs.” Barbers, restaurant owners, bank tellers—anyone around him could become his bird dog.
His rule was simple: “Send customers my way. If they buy a car, I will immediately send you 25 dollars.”
For this system to work flawlessly, one premise was crucial: he needed to know with absolute certainty, “Who sent this customer?”
When a new customer arrived, Joe Girard would first ask, “Who sent you to me?” If a sale closed, he meticulously recorded it and made sure to send the promised $25 to the referrer.
Just like this story, in the mobile app ecosystem we track which advertising or marketing activities lead to user acquisition or purchases and credit them appropriately. That process is called mobile attribution.
Measuring attribution accurately is critical. You need to know whether the customer came through the barber or the bank teller to determine how much to pay whom.
To answer “Who referred this customer?” mobile platforms provided ad networks with the following information:
Both IDFA and GAID are unique values that can precisely identify a user’s device. Thus, if you know the IDFA or GAID, you can obtain precise mobile attribution.
This deterministic method gave advertisers clear data on which ads brought in which users, providing the foundation for the growth of the mobile advertising ecosystem. But the free lunch is over. With platforms strengthening privacy, deterministic attribution without explicit user consent is no longer possible. Like you reading this, users no longer agree to provide personally identifying information.
As noted above, Apple no longer provides IDFA without user consent (more precisely, without explicit consent).
From iOS 14 onward, obtaining a device’s IDFA requires explicitly requesting the user’s permission through the AppTrackingTransparency (ATT) framework. If the user declines, the IDFA is zeroed out (000000…) as shown above.
This is a serious problem for advertisers and ad networks alike. Without knowing exactly who saw your ad, you can’t determine through which path a customer was acquired, undermining the core premise of the ad business—“How did you hear about us?”
As an alternative, Apple provides SKAN (SKAdNetwork), which supplies limited, non-identifying information for attribution.
The SKAN data flow is as follows:
Here, the only signal that carries user behavior is the CV (conversion value). CV is a 6-bit value represented by an integer between 0 and 63. Advertisers can map post-install behaviors to these 64 values. For example, CV=1 might mean tutorial complete; CV=2 might mean first in-app purchase, and so on—predefined and captured at postback time for analysis. As you know, 6 bits is very limited; CV alone cannot identify a user.
In effect, Apple positions itself as both referee and sole processor of measurement. Advertisers and ad networks must operate within Apple’s strict rules and passively interpret the final outputs Apple provides.
In contrast to Apple’s approach—where Apple intervenes in and controls every attribution pathway and only returns the result—Google provides building blocks that let participants in the ad ecosystem build their own privacy-preserving solutions. The core set of building blocks is the Privacy Sandbox.
Privacy Sandbox pursues three main goals:
In short, it aims to create industry standards that protect privacy while enabling publishers and developers to sustain advertising-based businesses.
The most significant technical distinction of Google’s Privacy Sandbox from legacy attribution is that attribution is produced on the user’s device, matched against ad network information.
Because attribution is obtained on-device, ad businesses can gain meaningful conversion insights without exfiltrating personal data off the device.
The anonymized attribution generated on the device is collected via the Attribution Reporting API (ARA).
There are two primary types of reports collected via ARA:
Event-level reports contain anonymized per-event data. While per-event, they are anonymized and therefore carry limited information. They map attribution to user interactions such as clicks and views. These reports are suitable for measuring campaign reach and for attribution aggregation.
Summary reports are aggregated statistical outputs. They don’t contain individualized data, but they offer deeper insights such as conversion value, ROI, and performance analysis by user segment.
These data are delivered to ad tech platforms (Appsflyer, Meta, AppLovin, etc.) as encrypted aggregatable reports. Based on these encrypted inputs, the platform issues the necessary queries to an Aggregation Service running in a Cloud Trusted Execution Environment.
Cloud Trusted Execution Environment (TEE)?
A TEE is an isolated environment running on infrastructure from a cloud provider that meets Google’s proposed security criteria and can be trusted. If an ad tech platform satisfies the TEE security requirements, it can build and operate its own environment.
We’ve looked at how mobile attribution changes in the era of privacy. The age of deterministic attribution is over; developers and all stakeholders must prepare for attribution methods suited to a privacy-first world.
The end of the deterministic era: Strengthened privacy makes 1:1 user tracking via IDFA/GAID impossible.
Shift to a probabilistic era: Instead of definitive data, we now infer performance from limited signals.
Apple (SKAN) approach: A black-box model in which Apple controls the entire process and returns the results.
Google (Sandbox) approach: Centered on on-device matching, it provides the ecosystem with building blocks it can adopt.
Evolving role of ad tech: MMPs and ad networks now receive encrypted reports and must build and operate their own Aggregation Service in a cloud TEE to process data.
