Skip to content
Tolinku
Sign In Start Free
Tolinku
Sign In Start Free
Deep Linking · · 7 min read

Probabilistic vs Deterministic Attribution for Deep Links

By Tolinku Staff
|
Tolinku deep linking fundamentals dashboard screenshot for deep linking blog posts

When a user clicks a link and installs your app, something in between those two events has to connect them. That connection is attribution, and the method used to make it matters more than most mobile teams realize.

Two fundamentally different approaches exist: deterministic and probabilistic. They differ in how they identify a user, how accurate they are, and what privacy trade-offs they carry. For a detailed comparison of fingerprinting techniques specifically, see Fingerprinting vs Deterministic Matching for Attribution. The rise of App Tracking Transparency (ATT) on iOS has made the distinction between them more consequential than ever.

Deterministic Attribution

Deterministic attribution uses a unique, persistent identifier to create an exact match between a click and an install. When the same identifier appears on both sides of the install event, the attribution is certain.

The most common identifiers are:

  • IDFA (Identifier for Advertisers) on iOS: A device-level ID that Apple provides to apps when the user has granted ATT permission.
  • GAID (Google Advertising ID) on Android: Google's equivalent, available unless the user has opted out in device settings.
  • Email address or user ID: If the user is logged in before and after install, a server-side match on the authenticated identity is possible.

How It Works

  1. User clicks a link. The attribution service records the click along with the device's advertising ID.
  2. User installs the app. At first launch, the SDK sends the device's advertising ID to the attribution service.
  3. The service looks for a click with the same ID. If one exists within the attribution window, the install is attributed deterministically.

Accuracy with deterministic attribution approaches 100%. The identifier is either present and matching, or it isn't. There is no estimation involved.

The ATT Problem

Apple's App Tracking Transparency framework, introduced in iOS 14.5, requires apps to request permission before accessing the IDFA. If the user declines (or if the app never asks), the IDFA is unavailable.

The practical effect: on iOS, deterministic attribution only works for users who have granted ATT consent. Depending on the app category, this is somewhere between 20% and 50% of your user base. The rest of your iOS traffic falls through to probabilistic attribution or goes unattributed entirely.

Android does not have ATT, but it has its own evolution. The Privacy Sandbox on Android is Google's effort to move advertising measurement off persistent identifiers. This is still rolling out and is less immediately impactful than iOS ATT, but the trajectory is the same. On Android, the Google Play Install Referrer provides a deterministic attribution path that does not depend on advertising IDs.

Probabilistic Attribution

Probabilistic attribution makes a statistical inference about whether a click and an install came from the same user. It uses available signals instead of a persistent identifier.

Common signals include:

  • IP address: Two events from the same IP address within a short time window are likely from the same device or household.
  • User agent string: Captures the OS version, device type, and browser.
  • Screen resolution and pixel density: Combined with user agent, helps distinguish device models.
  • Language and locale settings
  • Timestamp: The shorter the window between click and install, the more likely the match.

How It Works

  1. User clicks a link. The attribution service records a fingerprint hash of the available signals.
  2. User installs the app. At first launch, the SDK collects the same signals and sends them to the attribution service.
  3. The service compares fingerprints. If signals overlap sufficiently within the attribution window, the install is probabilistically attributed to the click.

The match is not certain. It's a confidence score. Most attribution services use a threshold (e.g., 80% confidence) above which they record an attribution and below which they report the install as organic.

Accuracy

Probabilistic accuracy depends on:

  • Time-to-install: A user who installs within five minutes of clicking has a very high probability match. A user who installs 48 hours later on a different network is much harder to match.
  • IP uniqueness: Shared IPs (office networks, university campuses) reduce accuracy because multiple users may share the same IP fingerprint.
  • Device diversity: If all your users have the same device model and OS version, fingerprints become less distinct.

Realistic accuracy for probabilistic attribution is 70-90% for installs within 24 hours, dropping as the window extends. In practice, most installs happen within a few hours of the click for paid campaigns, which keeps accuracy reasonably high.

Privacy Trade-offs

The privacy trade-off between the two methods is not as simple as "deterministic bad, probabilistic good" or vice versa.

Deterministic attribution with IDFA requires explicit user consent on iOS. If you have consent, the data collection is lawful under ATT and (if handled correctly) under GDPR. The user said yes to tracking.

Probabilistic attribution does not require a persistent identifier, but it does involve collecting and combining signals that can constitute personal data under GDPR. An IP address is personal data under EU law. Combining IP, user agent, and timestamp to identify an individual may require a lawful basis under GDPR Article 6, and may require disclosure in your privacy policy.

The UK ICO's guidance on device fingerprinting is explicit that fingerprinting can constitute tracking even without a cookie or device ID. Treat probabilistic attribution data with the same care as any other personal data.

Apple's own position is worth understanding here. The App Store Review Guidelines prohibit deriving a device identifier from device signals to track users across apps or websites without ATT consent. Fingerprinting that is designed to circumvent ATT violates these guidelines, even if it doesn't use the IDFA.

This puts probabilistic attribution in a narrow lane: it's appropriate as a fallback when no identifier is available, and the fingerprint should not be stored as a persistent identifier for cross-app tracking purposes.

For deferred deep links, the method used affects more than just campaign analytics. It affects the user experience directly: whether the user arrives at the right in-app destination.

With deterministic attribution, if the IDFA is present and the attribution matches, the deferred link parameters are delivered with high confidence. The user goes to the right place.

With probabilistic attribution, there's a chance of a false positive: the wrong user gets attributed to a click, and a deferred link intended for User A is delivered to User B. If the link carries a personal referral code or a one-time discount, this creates a real product problem.

Mitigating false positives with probabilistic attribution:

  • Use shorter attribution windows for link types that carry sensitive parameters.
  • Validate parameters server-side before applying them (check that a referral code hasn't already been used).
  • Log which attribution method was used for each install, and filter downstream reports accordingly.

For a deeper look at how deferred linking works overall, see the Tolinku attribution guide.

Implementation Approaches

If you're building or evaluating an attribution solution, you need to decide how to handle both methods.

Option 1: SDK with Automatic Fallback

The most practical approach for most teams is an SDK that handles deterministic attribution when the identifier is available and falls back to probabilistic automatically. This is what Tolinku does by default.

The SDK requests ATT permission (you control when the prompt appears), collects the IDFA if granted, and uses it for the match. If ATT is denied, the SDK uses the probabilistic fingerprint instead. The attribution record notes which method was used.

Option 2: Server-Side Attribution

For apps with authenticated users, server-side attribution using a logged-in identity is the most accurate method and the most privacy-compliant. If your users log in before clicking a link (email campaigns to existing users, for example), you can attribute the install by matching the logged-in session to the pre-click identity.

This requires more infrastructure, but it's deterministic without any dependency on IDFA or device signals.

Option 3: Attribution via SKAdNetwork (iOS Only)

Apple's SKAdNetwork is Apple's own attribution framework. It provides deterministic install attribution without exposing the device ID to third parties. Instead, Apple aggregates and delivers attribution data directly, with delays and privacy thresholds.

SKAdNetwork works well for understanding campaign-level performance, but it does not deliver per-user parameters. It can't power deferred deep linking for individual users. It's a complement to SDK-based attribution, not a replacement for it.

Choosing Between Methods

In practice, you don't choose one or the other. You implement both, with deterministic as the preferred method and probabilistic as the fallback.

What you can control:

  • ATT prompt timing and copy: The prompt for ATT consent is your only lever for IDFA availability. Apps that show the prompt at the right moment (after demonstrating app value, not on first launch) consistently see higher opt-in rates. See Apple's human interface guidelines on ATT for their recommendations.
  • Attribution window length: Shorter windows improve probabilistic accuracy. A 24-hour window is more accurate than a 7-day window for probabilistic matching.
  • Fallback handling in the app: When probabilistic attribution is used, you may want to add extra validation before applying deferred link parameters, particularly for referral codes.

For most mobile apps running paid campaigns, the split will be roughly 30-50% deterministic (ATT-consented iOS users plus Android users with GAID) and 50-70% probabilistic. The overall attribution coverage, combining both methods, typically reaches 80-95% of installs.

The mobile attribution developer's guide covers the full attribution pipeline if you want to go deeper on implementation specifics.

Summary

Deterministic attribution is accurate but limited by identifier availability. Probabilistic attribution fills the gap but introduces uncertainty and privacy considerations. The practical answer is layering both, with clear logic for which method was used and appropriate handling for each in your app.

Post-ATT, probabilistic attribution isn't optional. It's the default for a majority of your iOS users. Understanding how it works, where it fails, and how to validate the results is now a core skill for any mobile engineering team.

Analytics ATT Attribution Deferred Deep Linking iOS mobile-attribution Privacy

Get deep linking tips in your inbox

One email per week. No spam.

In this article

Ready to add deep linking to your app?

Set up Universal Links, App Links, deferred deep linking, and analytics in minutes. Free to start.

Start Free View Documentation

Related articles