Attribution: Is Mobile App Attribution Broken?

Attribution: Is Mobile App Attribution Broken?

Mobile Attribution is Broken.

Single SDK mobile attribution was originally conceived as much needed layer of tracking transparency for a nascent mobile app industry.  But I contend that these attribution providers have ultimately failed to support the industry in a way that provides adequate transparency and fair competition for all stake holders. Today the performance industry’s top attribution platforms have become as opaque as the industry they sought to change.


A Brief History

At the beginning of the noughties when the internet was consumed in only one place – the desktop browser – advertisers and publishers would make pixel integrations with each other to support tracking. This was a form of direct tracking carried out between an advertiser and every publisher they agreed to work with.

Fast forward to the mobile app era, where app developers (advertisers) are confronted with the prospect of integrating tracking SDK’s for every publisher they wanted to use to promote their app. Clearly this would be a time consuming process that would bloat or potentially destabilise the advertisers app. Not an ideal scenario. And so the idea of the attribution industry we’ve come to know was born. A single SDK mediating all publishers and requiring advertisers to make only one tracking integration to realise the promise of transparent, unbiased tracking.


The Last Click

One of the key ways in which attribution platforms work is to rely on a chronology of user events from when the user is served with an ad impression, right up until the last touchpoint where the user reaches the app store. This historical look back window or ‘Attribution Window’ is used to determine which publisher should be awarded the paid tracking event – typically an install.

Lets use a simplified example to illustrate how this works. Take AdNetwork ‘A’ who sent a user to the app store through an ad they clicked on Saturday 10th Feb at 9:30 AM. However, this user did not install the advertised app. Now, enter AdNetwork ‘B’ who had the same user click their ad for the same app on Saturday 10th February at 9:35 AM. The user installed the app directly after this click. If all other things are considered equal, then Network B would be attributed with the’Install’ event and Network A would be marked as the ‘Contributor’, a largely meaningless categorisation. This is why last click matters so much, because it is one of the major hinges upon which tracking platforms rely upon to determine where hundreds of millions of the ad dollars go.

In many ways the ‘last click’ methodology for tracking makes a lot of sense. There are many ad networks running the same campaign and competing for the same users and payouts. Someone has to play referee and award the paid event to a publisher. And this would be impossible without referring to the last historical touchpoint of the user.

However, in-app environments have exposed critical weaknesses in this methodology that bad actors have exploited in order to be attributed for hundreds of millions in ad dollars, when they were never part of the flow that led the user to install an app in the first place.


Exploiting Attribution Windows

Tracking providers rely on their integrations with the app stores to tell them what a user does after they are delivered to the store via one of their attribution links.  This is done using a referrer ID and it is communicated from the store to the attribution platform, telling the latter that an install has occurred from a specific user.

Remember, tracking providers don’t track the actual click on the ‘download’ button inside the app store, nor when the users successfully downloads the app. Rather they deliver the user to the store and wait for communication from store to determine if an install event occurred for that user. A combination of the referrer ID being broadcast by the store followed by an app ‘open’ event allow the tracking provider to confirm the download and attribute it appropriately.

Up to very recently the Google Pay store never communicated these ID’s with a timestamp. This allowed rogue publishers with malware installed on a users device to hijack the referrer ID and broadcast it as attributable to their publisher instead. When in reality they had no role in the user installation.


*Adjust have laid out a nice chronological graphic in their blog post highlighting this Click Injection  methodology.

The practice of click injection has gone unchecked for almost 2 years spawning an industry full of fraud, massive distrust and anti competition for which these tracking providers must accept responsibility for.


An End to Attribution Fraud (For Some)

This is set to change as Google announced toward the end of 2017 that it was adding a timestamp to its referrer API, thus giving tracking providers a reference point to identify if a click injection event had occurred between the time they left the user at the store and the app open event. This effectively closes the loophole and should see an end to this form of fraud in 2018.

Closing this loophole is a welcome update for the industry. Beyond creating unmerited profit for the perpetrators, it caused a huge imbalance in the competitive landscape of app monetisation. Unheard of SDK adnetworks utilising click injection where able to create pumped up eCPM rates for complicit publishers, creating an anti competitive environment for other networks.

But this update from tracking providers only represents an end to attribution fraud for some. The tracking industry is so fundamentally broken  that Self Attributing platforms like Facebook continue to claim large swathes of installs attributable to organic downloads and paid for ad network media.

There are two main reasons why tracking providers allow this to occur unchecked:


  1. Self Attributing Platforms: Facebook can be termed as self-attributing ad network. This means they tell industry leading tracking platforms what events are attributable to them, rather than the other way around. Its a bit like ripping up a bank’s ledger, then telling your bank manager that you counted all the money and you are pinky-swear certain that all the money is yours. And so we see this played out time and again where there is reportedly consistent and large discrepancies between what self attributors claim as their installs and what the tracking providers record as rightfully attributable to them[1].
  2. Lock Back Window Bias: The sheer scale of self attributing ad networks like Facebook mean that the attribution look-back window becomes a biased methodology for ascertaining attributable events. Think about it, if the impression look-back window for FB is even 24 hours, they need only serve and ad (no user engagement) in order to claim an install that might otherwise have been organic (free) for the advertiser.


For all the good these tracking providers attempt to achieve the fact remains that the very lifeblood of their business is so existentially tied up in supporting platforms like Facebook (their Advertising customers demand it) that even if they wanted to, they are powerless to change things.

Ultimately, the mobile app attribution industry in its current form is so fundamentally broken that its fair to say even small-wins like identifying malware click injections are utterly irrelevant in the big picture. Attribution platforms were originally built to bring attribution authority and transparency to the mobile ad industry but instead they have been utterly complicit in creating an environment for fraud to occur on huge scale. Because where there is no transparency there is no recourse, for any industry stakeholder.





[1] Alison Schiff of AdExchanger wrote extensively on this issue here. Moar Sadra (Applift CRO) has detailed this phenomenon extensively in his Linkedin Posts.

Leave a Reply

Your email address will not be published.