Apple announces SKAN 5 at WWDC, plus privacy manifests for third-party SDKs in an anti-fingerprinting move

Apple announced SKAN 5 at WWDC, which makes me wrong. But it barely flickered across the screen and wasn’t actually mentioned verbally, which makes me feel better. Apple also announced Privacy Manifests for third-party SDKs, building on the Privacy Nutrition labels introduced a year ago, and made it clear that they were part of Apple’s enforcement of its anti-fingerprinting privacy stance.

SKAN 5 is coming

The next major iteration of Apple’s SKAdNetwork framework for mobile app attribution made it into a screenful of API updates that Playrix marketing producer Slava Gataulin caught. But no speakers in the WWDC opening keynote actually mentioned SKAdNetwork, and it’s not clear which session at WWDC will dive into the topic, if any.

I was fairly certain that SKAN 5 would not appear at WWDC 2023 because the reality in the ecosystem right now is that we are still in the very early stages of getting SKAN 4 operational and out the door. As of April 19th, not even 1% of postbacks were SKAN 4 compatible, and the needle has not moved very far in a month and a half.

There are two good pieces of news about SKAN 5, however, that mobile marketers will welcome.

Re-engagement support is coming

97% of mobile marketers in a recent Singular webinar told us they wanted Apple to borrow features from Google’s Privacy Sandbox on Android, and re-engagement has been at the top of the list every time we’ve asked marketers what they want in SKAN 5.

Finally, they’re getting what they want. SKAN 5 will enable re-engagement.

“In addition to measuring downloads, we know it’s important to understand how advertising can bring users back into your app,” Apple says. “SKAdNetwork 5 will support measuring re-engagement. In addition to measuring conversions after a user downloads your app, you’ll also be able to measure conversions after a user opens your app by tapping on an ad.”

Based on the limited description given, it seems that this is re-engagement of people who already have your app, not retargeting of people who might have once installed your app but since deleted it.

A major question that immediately comes to mind, of course, is targeting for the re-engagement: how will you ensure that people who have your app installed will see your ads as opposed to random people who have not? If Apple supports something there, that would be interesting — and reminiscent of Privacy Sandbox’s Topics API. Hopefully we’ll know more soon, and at this point absent any further documentation from Apple I’m guessing that there is not a targeting component in SKAN 5.

In either case, any additional functionality in SKAdNetwork is a bonus.

And there’s an entirely different use case for measuring re-engagement, as Singular CTO Eran Friedman says: incidental re-exposure.

“In today’s world without IDFAs, you can’t target ‘only users who don’t have my app,’ so marketers are bound to show some ads to existing users. But these users never generate SKAN postbacks, and marketers have no clue when it happens.”

The new functionality solves an important gap in SKAN for large advertisers, Friedman says. And measuring these incidental re-exposures to ads will also yield a clearer ROAS picture for ad campaigns measured with SKAN 5.

SKAN 5 won’t change much from SKAN 4

Right now it looks like adding the re-engagement capability is the only change we’ll see from SKAN 4 to SKAN 5. That, frankly is very good news since, as we know, there are growth teams that aren’t even up to speed on SKAN 3 yet, and others on SKAN 3 who haven’t thought deeply about what to do under SKAN 4.

There’s been a lot of change in the last few years for mobile user acquisition teams: this is a welcome reprieve which goes very nicely with the one additional feature that marketers probably wanted most.

(Plus, it makes my pre-WWDC prediction almost true!)

Privacy Manifests for third-party SDKs

In a new move, Apple says it’s going to be requiring third-party SDKs to provide Privacy Manifests which will be combined to help app developers write their Privacy Nutrition labels

“to help developers understand how third-party SDKs use data, we’re introducing new privacy manifests — files that outline the privacy practices of the third-party code in an app, in a single standard format. When developers prepare to distribute their app, Xcode will combine the privacy manifests across all the third-party SDKs that a developer is using into a single, easy-to-use report.”

In addition, apps that use APIs that could be used for fingerprinting “will now be required to select an allowed reason for usage of the API and declare that usage in the privacy manifest.” They’ll have to accurately describe that usage and only use the data for stated purposes.

The solution, of course, is to use SKAN 4, adopt new privacy-safe measurement technologies like MMM, and use hybrid measurement technologies that are privacy-safe and lean on your own first-party data.

While the technology is vastly different here, this rhymes with some of the moves Google is making in Privacy Sandbox for Android with SDK Runtime: finding ways to manage and control what third-party SDKs do with private, personal data.

Along the same lines, Apple is going to be validating SDKs:

When using third-party SDKs, it can be hard for developers to know the code that they downloaded was written by the developer that they expect. To address that, we’re introducing signatures for SDKs so that when a developer adopts a new version of a third-party SDK in their app, Xcode will validate that it was signed by the same developer. 

This process won’t just happen in private. Apple says that later this year, it will publish a list of privacy-impacting SDKs : “third-party SDKs that have particularly high impact on user privacy.”

That’s likely a shot across the bow now for the adtech ecosystem to get its affairs in order quickly.