Introduction to the Privacy Sandbox on Android

Provide feedback

Mobile apps have become a fundamental part of people's lives. Currently, over 90% of the apps on Google Play are free, providing access to valuable content and services to billions of users. Digital advertising plays a key role in making this possible. But in order to ensure a healthy app ecosystem — benefiting users, developers and businesses — the industry must continue to evolve how digital advertising works to improve user privacy.

Three years ago, Google announced the Privacy Sandbox initiative to help improve user privacy on the web. Our proposal is to bring the Privacy Sandbox to Android, providing a clear path forward to improve user privacy without putting access to free content and services at risk.

Our goal with the Privacy Sandbox on Android is to develop effective and privacy enhancing advertising solutions, where users know their privacy is protected, and developers and businesses have the tools to succeed on mobile. While we design, build and test these new solutions, we plan to support existing ads platform features—including advertising ID—for at least two years, and will provide substantial notice ahead of any future changes.

To achieve the end goal, the Privacy Sandbox on Android proposes to introduce two key solutions; an SDK Runtime and a set of privacy-preserving APIs.

SDK Runtime

The Android platform uses the concept of app sandboxing to maintain robust execution and security boundaries for app code, along process boundaries. It's a common practice for apps to include third party code in their apps, often in the form of SDKs such as ads SDKs or analytics SDKs. This reuse enables app developers to focus on their app's differentiation while leveraging the work of subject matter experts to scale their execution beyond what they could easily do on their own.

In Android, SDKs are executed within the host app's sandbox, and inherit the same privileges and permissions of their host app, as well as access to the host app's memory and storage. While this architecture enables SDKs and apps to flexibly integrate, it also creates the potential for undisclosed user data collection and sharing. Moreover, app developers may not be fully aware of the extent of a third party SDK's functionality and the data it accesses -- making it challenging to account for the data collection and sharing practices of their app.

In Android 13, we plan to add a new platform capability where third-party SDKs can run in a dedicated runtime environment. The SDK Runtime would have a modified execution environment and well-defined permissions and data access rights for SDKs, providing stronger safeguards and guarantees around user data collection and sharing.

Learn more about the SDK Runtime in the design proposal.

Privacy-preserving APIs

In order to support core advertising use cases without reliance on cross-app identifiers, the Privacy Sandbox on Android proposes a set of APIs that enable ads personalization and measurement in a more private way.

These APIs protect user privacy through a combination of techniques such as retaining selected private data and processing on-device, aggregation and randomizing of data, and on-device ad selection. These API designs align closely with the corresponding efforts by the Privacy Sandbox for the Web to ensure consistency in the approach and the desired outcome, while taking into account the differences in browser and app technologies.

The initial design proposals include 3 core use cases:

  • Topics infers coarse-grained interest signals, called topics, based on the apps on a user's device. Advertising SDKs may use these topics as an input to serve ads to relevant users.
  • Protected Audience introduces a new way to show ads based on "custom audiences" defined by app developers and the interactions within their app. The solution stores this information and associated ads locally, and provides a framework to orchestrate ad selection workflows.
  • Attribution Reporting supports the measurement of conversions, machine learning optimization use cases like predicted conversion-rate model building, and invalid activity detection.

Learn more and share feedback

The SDK Runtime and Privacy-Preserving APIs will be developed as part of the Android Open Source Project, providing transparency into the design and implementation of these solutions.

Android will collaborate with the entire industry and app ecosystem on the journey to a more privacy-first mobile platform, and one which supports a rich diversity of value-exchange that benefits users, developers, and advertisers. As the Privacy Sandbox on Android evolves, we will ensure that frequent updates are provided and the entire ecosystem will be able to provide feedback on the proposals.