When a user clicks a deep link, installs your app, and opens it for the first time, something has to connect those two events. The click happened in a browser or another app. The install happened in the App Store or Google Play. The first open happened inside your app. These are three separate contexts, and bridging them is the core challenge of deferred deep linking.
Two methods exist for making that connection: deterministic matching and probabilistic fingerprinting. They differ significantly in accuracy, implementation complexity, and privacy implications. Understanding both helps you make informed decisions about your attribution setup.
Deterministic Matching
Deterministic matching uses a shared, persistent identifier that is present on both sides of the attribution gap. Because the same value appears at click time and at install time, you can match them with certainty.
The most common examples:
Device advertising identifiers. On iOS, this is the IDFA (Identifier for Advertisers). On Android, it's the GAID (Google Advertising ID). When a user clicks a link, the click event captures their advertising ID. When the app opens, it reads the same ID and sends it to the attribution server. The match is exact.
Google Play Install Referrer. On Android, when a user clicks a link and arrives at the Play Store, Google passes a referrer string through to the app on first open. This string can contain a unique click ID, which makes the match deterministic without relying on device identifiers at all. See our deeper guide on Google Play Install Referrer for implementation details.
Clipboard (pasteboard) tokens. When a user taps a link on iOS, the attribution platform can write a short-lived token to the clipboard. On first app open, the app reads the clipboard and sends the token to the server. Apple introduced a privacy prompt for clipboard access in iOS 16, so this method now requires user permission.
Deterministic matching is accurate when it works. There is no guessing involved. Either the identifiers match, or they do not.
The ATT Problem on iOS
Apple's App Tracking Transparency framework, introduced in iOS 14.5, requires apps to ask permission before accessing the IDFA. According to data from Statista and various mobile measurement reports, opt-in rates have settled well below 50% across most app categories.
When a user does not grant ATT permission, the app cannot read the IDFA. The click cannot be matched to the install deterministically. This is a fundamental shift. Before ATT, deterministic matching via IDFA was the default on iOS. After ATT, it is the exception.
Android's advertising ID is still available by default, though Google has announced plans to phase it out as part of the Privacy Sandbox for Android initiative.
Probabilistic Fingerprinting
When deterministic identifiers are unavailable, attribution systems fall back to probabilistic fingerprinting. Instead of a shared unique ID, fingerprinting collects multiple signals that are likely to be consistent between the click and the install, then scores candidate matches based on how many signals agree.
Common fingerprinting signals:
- IP address
- Device type and model
- Operating system version
- Browser user agent
- Screen resolution
- Time zone and language
- Carrier information
None of these signals uniquely identifies a device. Many people share the same IP address (offices, households, mobile carriers using CG-NAT). Many devices share the same model and OS version. But when you combine several signals and compare them within a narrow time window, you can estimate with reasonable confidence that a click and an install came from the same device.
The accuracy of fingerprinting depends heavily on match window settings and traffic conditions. A 24-hour window is common, but shorter windows (one to four hours) reduce false matches at the cost of missing some real ones.
Accuracy Rates
Deterministic matching is essentially 100% accurate when an identifier is available. Fingerprinting accuracy varies widely, typically cited in the 70-95% range depending on traffic mix, geography, and the number of signals available. High-volume campaigns in dense urban areas (where many devices share carrier IPs) have lower accuracy. Campaigns targeting desktop-to-mobile flows or rural areas typically perform better.
The practical impact: for every 100 installs attributed via fingerprinting, a small number may be misattributed to the wrong click or incorrectly marked as organic. At small scale this is noise. At large campaign scale it can meaningfully distort your return-on-ad-spend calculations.
Privacy Implications
iOS: ATT and SKAdNetwork
Apple's response to fingerprinting has been explicit. The App Store Review Guidelines state that apps may not derive a unique identifier from device characteristics to track users across apps or websites without ATT permission. Apple has rejected apps using fingerprinting to circumvent ATT.
For iOS attribution, SKAdNetwork is Apple's privacy-preserving alternative. It provides aggregated, delayed attribution signals without exposing individual user data. SKAdNetwork does not support deferred deep linking at all; it tells you which campaign drove an install, but it cannot route the user to a specific screen or pre-fill any context.
This means that on iOS, for users who decline ATT, you generally have three options: use clipboard-based matching (requires user interaction with a prompt), use SKAdNetwork for campaign-level attribution only, or accept that some installs will be unattributed.
Android: Privacy Sandbox
Google's Privacy Sandbox for Android proposes an Attribution Reporting API modeled loosely on Chrome's web version. It would provide aggregated attribution without exposing individual click data. As of early 2026, this is still in developer preview. The GAID remains the primary mechanism for deterministic attribution on Android.
GDPR and CCPA
Under GDPR, fingerprinting may constitute processing of personal data, since IP addresses are considered personal identifiers in the EU. This requires a legal basis, typically consent. Publishers and attribution providers operating in the EU need to ensure their fingerprinting practices are covered by their consent management flows.
CCPA has similar implications for California users. The "do not sell my personal information" opt-out may need to extend to fingerprinting-based attribution depending on how data is shared with third parties.
When to Use Each Method
Prioritize deterministic matching whenever possible. If you are on Android, use the Play Install Referrer API as your first-party deterministic signal. It does not require any advertising ID and is not affected by privacy frameworks. If ATT is granted on iOS, use the IDFA. If clipboard access is appropriate for your use case, consider token-based matching as a fallback.
Use fingerprinting as a fallback, not a primary strategy. On iOS post-ATT, fingerprinting fills the gap for users who decline tracking. Accept that accuracy will be lower and avoid over-optimizing campaign decisions based on fingerprinted attribution alone.
Match window discipline matters. For fingerprinting, keep match windows short. A 30-minute window produces far fewer false positives than a 24-hour window. You will miss some late-opening installs, but the data you do capture will be more reliable.
Audit your attribution claims. Run periodic sanity checks comparing attributed installs to actual install counts from the App Store Connect and Google Play consoles. Large discrepancies signal over-attribution, often from fingerprinting false positives.
How Tolinku Handles Attribution
Tolinku's deferred deep linking implementation uses deterministic matching as the primary mechanism: Play Install Referrer on Android, and device ID matching where available on iOS. For iOS users without ATT permission, the system falls back to probabilistic matching with configurable match windows.
Attribution data flows into the analytics dashboard, where you can see attributed vs. unattributed install breakdowns, allowing you to understand your fingerprinting coverage and adjust match windows if needed. The attribution concepts guide explains how attribution events are recorded and queried.
Summary
Deterministic matching is the right default: accurate, straightforward, and not subject to the compounding error of probabilistic methods. The challenge is that it depends on identifiers that users can withhold, and platform policies are progressively restricting them.
Fingerprinting remains useful as a fallback for iOS post-ATT, provided you use it within legal boundaries, keep match windows short, and treat the results as estimates rather than certainties. On Android, the Play Install Referrer gives you a reliable deterministic signal that sidesteps the advertising ID question entirely.
The trend is clearly toward more privacy and less tracking. Attribution systems that depend on fingerprinting as a primary method are building on ground that is shifting. Combining multiple signals, short match windows, and first-party deterministic mechanisms where possible gives you the most durable attribution setup.
For a broader look at how deferred deep linking works from click to first open, see the install attribution flow guide.
Get deep linking tips in your inbox
One email per week. No spam.
