Navigating iOS 17’s Privacy Landscape: The Road Ahead for App Developers and Advertisers

Author’s note: To learn about WWDC 2023’s privacy updates, App Tracking Transparency, and its significance, check out this blog post: The Dark Horse of WWDC 2023: Privacy Policies Finally Get Real.

It’s officially time to embrace the privacy-first era and bid farewell to outdated measurement tactics. The news coming out of WWDC 2023, along with growing industry adoption of SKAN, means marketers should prepare to fully usher in the privacy-first era of app performance across operating systems. It’s high time to leave those legacy, ID-based marketing strategies in the rearview mirror.  

Apple is now taking a firm stand on tracking policies, leading us to a landscape where fingerprinting is categorically banned. Through a series of updates to their APIs and developer tools, Apple is ensuring that compliance occurs at a technical level. This crackdown is indicative of Apple’s unchanged policies and aimed at facilitating compliance without disrupting adherents of the existing framework. 

Who’s responsible for what?

Everyone has a role in embracing privacy-first measurement in the mobile ecosystem. When it comes to who is responsible for what in the context of iOS 17’s privacy updates, here’s the breakdown:  

App developers and marketers

  • Ensure your vendor partners are ready for these changes and schedule necessary internal development time for required SDK updates.
  • Prepare your app’s privacy manifest.
  • Complete the Nutrition Label questionnaire in App Store Connect (this responsibility hasn’t changed).
  • Investigate any tracking domains your app may be using by leveraging the new Instruments utility in Xcode.

Vendor partners (like Branch)

  • Provide privacy manifests that disclose tracker domains and ensure legitimate use of covered APIs.
  • Sign SDKs for authenticity.
  • Update SDKs and backend infrastructure according to Apple’s latest guidelines to distinguish between “tracking” and “non-tracking” network traffic.

As always, Branch is here for you every step of the way. Don’t hesitate to reach out with any questions!

What changes has Branch made to prepare for iOS 17?

We consistently update our platform to accommodate the ever-changing data privacy regulations of the mobile marketing industry. In that spirit, we’ve been hard at work preparing for the upcoming wave of privacy updates. Here’s what’s new. 

We’ve introduced support for privacy manifests.

Why? Privacy manifests are an important addition to the App Store submission process that has implications for both marketers and app developers. In the context of Branch’s SDK, the privacy manifest serves as a crucial tool.

Screenshot of Apple's WWDC 2023 presentation announcing Privacy Manifests. "In cases where a user has not provided tracking permission, iOS 17 automatically blocks connections to tracking domains that have been specified in any privacy manifest included in your app."

Source: Apple, Get started with privacy manifests

The Branch SDK privacy manifest now contains key information, such as:  

  • The declaration of an NSTrackingDomain, which is necessary to meet Apple’s requirements. If a user hasn’t given tracking permission through the App Tracking Transparency framework, apps will encounter errors when making network requests to these domains.
  • A list of NSPrivacyAccessedAPITypes (also known as Required Reason APIs), along with their respective valid use reasons.
  • Details on the data that Branch’s SDK collects, referred to as NSPrivacyCollectedDataTypes. These updates simplify the process for app developers completing Privacy Nutrition labels, though it’s important to note that app owners are responsible for addressing these questions during the App Store Review.

Our support will be particularly valuable for app developers who use the Branch SDK for attribution and deep linking and are preparing their apps for submission to the App Store. 

We’ve updated our SDKs and backend infrastructure.

Why? Vendor partners (like Branch) are required to update their backend platforms and infrastructure approach with iOS 17, ensuring adherence to privacy policies. 

Here at Branch, we’ve made updates to our SDKs and backend infrastructure to align with iOS 17’s privacy requirements, with a focus on compliance. By making these changes, we’re helping your app remain compliant with the latest iOS privacy updates while providing flexibility for tracking and measurement.

To that effect, Branch has created two separate domains for handling network requests from iOS users that pertain to app conversion events, like installs, app opens, and in-app purchases. These domains are: 

  • Dedicated tracking domain []: This domain (designed for ads measurement) must be declared in the privacy manifest. Branch will only use this domain when users have opted in to App Tracking Transparency (ATT).
  • Dedicated non-tracking domain []: This domain is used by Branch for API requests related to non-ads measurement and deep linking. Notably, there’s no requirement to declare this domain in the privacy manifest, since traffic through it doesn’t contribute to “tracking” (ads measurement).

We’ll start signing our SDK upon iOS 17’s release.

Why? Branch is taking a proactive step to make things easier for app developers. With iOS 17, Apple will identify certain SDKs as impacting user privacy. Starting in Spring 2024, these SDKs will need to add a signature and include their privacy manifest.

A screenshot of Instruments, showing points of interest in the timeline where the app has contacted domains that may be following people across multiple apps and websites to combine their activity into a profile. A point of interest is selected in the detail view.

Source: Apple, Use Instruments for domain profiling

Although Apple’s privacy-impacting SDK list isn’t currently available, Branch is ensuring our SDK Framework complies with Apple’s upcoming requirements for iOS 17 (and its privacy changes).

When can we expect Apple to enforce iOS 17’s announced privacy changes?

Below you’ll find our updated summary of the timeline Apple provided on their privacy adjustments in the coming months (as of September 2023). 

Apple's privacy update timeline: Fall 2023: App Store checks if new an updated apps include a privacy-impacting SDK. Apple notifies app developers if any privacy-impacting SDKs being used don't have a signature, privacy manifest, etc. Spring 2024: Signatures and Privacy Manifests required in App Review. Flagged issues must be addressed before App Store submission.

Near term: September 2023

  • iOS 17 will be publicly released. The aforementioned privacy changes won’t take effect until Fall 2023. 

Medium term: Fall 2023

  • Apple will determine whether newly submitted or updated apps contain privacy-impacting SDKs. Starting in the fall of 2023, Apple will send informational emails to app developers if these privacy-impacting SDKs lack a signature and privacy manifest.
  • Apple will also send informational emails to developers for apps that access required reason APIs without declaring approved reasons.

Long term: Spring 2024

  • Signatures and privacy manifests for privacy-impacting SDKs will be expected and will become part of the App Review process. You’ll need to address any issues flagged by Apple before you submit new and updated apps to the App Store.
  • Enforcement of the aforementioned privacy changes are also expected to begin Spring of 2024.

Embrace privacy updates

Here at Branch, we’ve thoroughly evaluated the landscape and aligned our platform to seamlessly integrate these privacy updates. Our goal is to ensure your mobile experience remains secure and uninterrupted. As the mobile industry collectively navigates these significant privacy shifts, Branch will continue supporting your deferred deep linking and owned/earned attribution measurement.

As you navigate the realm of privacy-conscious marketing, stay flexible and focused. Proactive adaptation will be the winning strategy, so view this shift to privacy as your strategic edge. Embrace these changes as chances for growth — not mere obligations.