How to Integrate Apple’s SKAdNetwork in iOS 11.3

How Ad Networks Work on iOS

In order to advertise your mobile app across other third party applications, you typically would work with a third-party ad network. The ad network is responsible for displaying your ad across the apps that have integrated with that network. Whenever a user clicks on your ad and installs your app, the ad network rewards the app that drove the install.

Attributing Installs with the IDFA

But how does the ad network know that the user who clicked on the ad was the same user who installed your application? The ad network uses a device level identifier called the IDFA (Identifier for Advertisers) to determine that the user was the same in both places. This means that the app displaying the ad and the app paying for the ad both need to integrate the ad network or attribution provider’s SDK so that they can attribute the new install to its original ad click.

Issues with IDFA Attribution

Unfortunately, the IDFA is not completely reliable. For the sake of user privacy, Apple allows users to reset their devices’ IDFAs. This means that a user could tap an ad, install an app, reset their IDFA, delete the app, tap the same ad, and install the same app again. The ad network would see this as two separate installs. Now imagine this scenario with a large scale device farm. Obviously, this makes ad networks vulnerable to fraud.

What is SKAdNetwork?

SKAdNetwork is a new addition to Apple’s StoreKit framework that allows third-party ad networks to attribute installs without ever exposing the IDFA. Essentially, this framework is Apple’s way of providing ad attribution without compromising a user’s privacy. SKAdNetwork works by marking the ad click with a signature so that when the user installs the app directly from that click, Apple will verify the signature is not fraudulent and directly alert the ad network that an install occurred without the ad network ever needing to look at the IDFA.


Benefits of SKAdNetwork

If you are only interested in measuring installs in aggregate, this framework can provide some benefits to your attribution. One of which is a fraud proof signature that is sent with every install to ensure that the install was valid. Another benefit is that it is an Apple owned framework, which means that it can pass attribution information through the App Store installation process, whereas other attribution providers need to do all of that handling server-side and often times may take some guesswork. This should give you much higher confidence in the results that are reported. Lastly, since Apple is performing the attribution, there is no need to use a third-party attribution provider.

Shortcomings of the SKAdNetwork

The IDFA gives ad networks a semi-permanent identifier that they can use to track that user across all apps within their network. They can use that information to build retargeting profiles, attribute any type of conversion (install, purchase, sign up, etc.) to the original ad click, and measure user retention. SKAdNetwork’s abstraction of the IDFA limits the level of granularity that ad networks can get when measuring ad conversions. Essentially, SKAdNetwork’s functionality only allows you to see installs from a campaign in aggregate because the webhook that Apple sends to the ad network does not have any information that uniquely identifies the user who performed the install. It only provides the timestamp, campaign, app, product, and ad network ID.

Implementing the SKAdNetwork
Requirements of Implementation

In order to successfully implement the SKAdNetwork, devices must be running iOS 11.3+, and the Ad Network must have registered identifier from Apple.

Displaying the Ad

The app that displays app install ads is responsible for taking users to the App Store once an ad is tapped. In iOS 6, Apple created the SKStoreProductViewController which allowed developers to present the product download page without the user ever needing to leave the app and open the app store. When presenting this view controller, you must load the product you are displaying with the `loadProduct` function.

func loadProduct(withParameters parameters: [String : Any], 
 completionBlock block: ((Bool, Error?) -> Void)? = nil)

Typically, you would just pass in the product information into the `parameters` variable. This includes the ItemIdentifier, ProductIdentifier, AdvertisingPartnerToken, AffiliateToken, CampaignToken, and ProviderToken. When using the SKAdNetwork, it is necessary to pass these additional parameters:

The ad network identifier you registered with Apple.

A campaign number you provide.

A unique value that you provide for each ad impression.

A timestamp you generate near the time of the ad impression.

A cryptographic signature you generate based on the other parameters.

These are the parameters that Apple looks for when associating an app installation with an ad campaign. The last parameter is an install validation signature that consists of the four other parameters in a UTF-8 encoded string, separated by ‘u2063’.

ad-network-id + 'u2063' + campaign-id + 'u2063' + itunes-item-id + 'u2063' + nonce + 'u2063' + timestamp

Sign this value with Elliptic Curve Digital Signature Algorithm (ECDSA) and your PKCS#8 standard private key, and you’ll get your complete validation signature.

Triggering a Conversion Notification

When an app is participating in an advertising network that uses SKAdNetwork for attribution, the app must call registerAppForAdNetworkAttribution() when launched from an install. This creates a conversion notification that alerts Apple that an install occurred from the result of an ad. Only the first call to this function will generate a notification, if attribution data is present. All later calls will not do anything.

Validating a Conversion Postback

When the app is installed and conversion notification is fired with the attribution data, Apple will send a postback to the ad network that looks like this:

  "ad-network-id" : "com.example",
  "transaction-id" : "6aafb7a5-0170-41b5-bbe4-fe71dedf1e28",
  "campaign-id" : 42,
  "app-id" : 1229670720,
  "attribution-signature" : "MDYCGQCsQ4y8d4BlYU9b8Qb9BPWPi+ixk/OiRysCGQDZZ8fpJnuqs9my8iSQVbJO/oU1AXUROYU="

In order to validate that this install is not fraudulent:

  • The ad network must create the same UTF-8 string created by the app displaying the ad:
ad-network-id + 'u2063' + campaign-id + 'u2063' + app-id + 'u2063’ + transaction-id 
  • They must decode Apple’s public key into a byte array.
  • Create an X.509 standard public key from the byte array created in the last step.
  • Use Apple’s public key to verify the attribution-signature parameter against the string created in step one.

Once the signature is validated, the install can be attributed to the original-displayed ad. With this methodology, it is guaranteed that every install will be unique and non-fraudulent.

Where do I start?

If you are interested in working with the SKAdNetwork, we recommend talking to your ad networks to see if they have registered with Apple. The assumption is that most of this work will be built into ad network SDKs, so the display app and ad purchasing app do not have to do any of the validation handling. Apple has not released much information on how to become a registered ad network, so there are still a lot of unanswered questions.

How does this affect Branch?

As of now, there is no direct impact on the deep linking/web-to-app attribution space, so there is nothing positively or negatively affecting the Branch product. The SKAdNetwork framework is strictly for the app-to-app ad network attribution space, but there doesn’t seem to be much a rush to adopt it because of its limitations. Our assumption is that Apple is beginning to provide privacy-sensitive alternatives for ad networks, and this framework is their first step in doing so.