iOS App Tracking · howto

Including Onesecondbefore's consent solution in a mobile app requires additional steps to make sure your app follows Apple's App Store Review guidelines. As Apple's guidelines do not map one on one with Europe's GDPR requirements the following steps need to be implemented:

• First, open a WebView with Onesecondbefore's consent page
• Next, ask App Tracking consent. Optionally, you might want to skip this part if the user did not consent at all as this would imply accessing the IDFA is not necessary.

Open WebView with consent page

• Open a (fullscreen) WebView with the URL of the consent page as specified by OSB support. Do this only when consent has not been given previously (it either is not stored in UserDefaults or its value has expired).

• Add a WebKit messageHandler osbCmpMessageHandler that accepts three parameters:

  consent (stringified JSON object)

  The IAB TCF consent object with the following members:

  Name	Description
  tcString	The IAB TCF consent string. Should be stored in the UserDefaults object
  purposes	An array of consented purpose id's (integer 1-11)
  legitimateInterests	An array of legitimate interest id's (integer 1-11)
  specialFeatures	An array of special feature id's (integer 1-2)
  vendorConsents	An array of vendor id's for which consent has been given (integer)
  vendorLegitimateInterests	An array of vendor id's for which legitimate interest has been consented (integer)

  cduid (string)

  The cross-domain user-id, either the IDFA (if authorized, see above), or the IDFV.

  expirationDate (number)

  The date until which this consent is valid in milliseconds since 1970-01-01. If consent has expired, the WebView should be shown again. Its value should be stored in the UserDefaults object.

  This WebKit messageHandler will be called using client-side JavaScript in the WebView as follows:

  window.webkit.messageHandlers.osbCmpMessageHandler.postMessage({
      consent,  // JSON object as String
      cduid,    // String
      expirationDate  // Number
  });

• Parse the JSON in the consent string and store the tcString and expirationDate members in UserDefaults

• If the user consented to any advertising, social or marketing purposes (e.g. IAB purposes 2-6), ask for Apple App Tracking (see below).

• Pass the tcString to any Ad provider that requires it using their own API.

Apple App Tracking consent

Requesting App Tracking consent is done with ATTrackingManager.requestTrackingAuthorization, available since iOS 14. Only after the user has authorized this request is Onesecondbefore's SDK allowed to access the Identifier for Advertisers (IDFA). The SDK will never call the ATTrackingManager.requestTrackingAuthorization on its own and it's the responsibility of the app developer to include this call during the start up phase of the app.

Additionally, the app's Info.plist should contain the following key/value pair:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>NSUserTrackingUsageDescription</key>
    <string>User-friendly text why you are requesting app tracking</string>
    ...

More information

• App Tracking Transparency Framework
• User Privacy and Data Use
• If an app asks to track your activity