iOS App Tracking · howto

Including Onesecondbefore's consent solution in a mobile app requires additional steps to make sure your app follows Apple's App Store Review guidelines. As Apple's guidelines do not map one on one with Europe's GDPR requirements you will have to show both the App Tracking Request and the CMP. You basically have the following two options:

  1. Recommended consent flow
    First ask if you can use the ID for Advertisers with an App Tracking Request. The consent dialogue will be shown after. No changes to the consent dialogue will be made depending on the answer on the App Tracking Request.
    Consent Flow Recommended
  2. Alternative consent flow
    First show the consent dialogue. Depending on the consent given by the user, you can show the App Tracking Request or go straight to the app. A disadvantage of this approach is that it is not possible to resurface the App Tracking Request at will, e.g. after a resurface of the consent dialogue, e.g. due to an update on the cookie policy or a user changes his mind.
    Consent Flow Alternative

Open WebView with consent page

  • Open a (fullscreen) WebView with the URL of the consent page as specified by OSB support. Do this only when consent has not been given previously (it either is not stored in UserDefaults or its value has expired).
  • Add a WebKit messageHandler osbCmpMessageHandler that accepts three parameters:

    consent (stringified JSON object)

    The IAB TCF consent object with the following members:

    tcStringThe IAB TCF consent string. Should be stored in the UserDefaults object
    purposesAn array of consented purpose id's (integer 1-11)
    legitimateInterestsAn array of legitimate interest id's (integer 1-11)
    specialFeaturesAn array of special feature id's (integer 1-2)
    vendorConsentsAn array of vendor id's for which consent has been given (integer)
    vendorLegitimateInterestsAn array of vendor id's for which legitimate interest has been consented (integer)
    cduid (string)

    The cross-domain user-id, either the IDFA (if authorized, see above), or the IDFV.

    expirationDate (number)

    The date until which this consent is valid in milliseconds since 1970-01-01. If consent has expired, the WebView should be shown again. Its value should be stored in the UserDefaults object.

    This WebKit messageHandler will be called using client-side JavaScript in the WebView as follows:

        consent,  // JSON object as String
        cduid,    // String
        expirationDate  // Number
  • Parse the JSON in the consent string and store the tcString and expirationDate members in UserDefaults

  • If the user consented to any advertising, social or marketing purposes (e.g. IAB purposes 2-6), ask for Apple App Tracking (see below).

  • Pass the tcString to any Ad provider that requires it using their own API.

Apple App Tracking consent

Requesting App Tracking consent is done with ATTrackingManager.requestTrackingAuthorization, available since iOS 14. Only after the user has authorized this request is Onesecondbefore's SDK allowed to access the Identifier for Advertisers (IDFA). The SDK will never call the ATTrackingManager.requestTrackingAuthorization on its own and it's the responsibility of the app developer to include this call during the start up phase of the app.

Additionally, the app's Info.plist should contain the following key/value pair:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">
    <string>User-friendly text why you are requesting app tracking</string>

More information