All Vendors
attribution

Branch

Branch is a mobile linking and attribution platform that provides deep linking, deferred deep linking, and cross-platform measurement through SDKs that collect device identifiers, click data, and user journey signals — including pasteboard access via NativeLink for iOS attribution.

129 IOCs
0
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Branch discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Analysis pending. Findings will appear here once intelligence collection is complete.

Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

pending

UNKNOWN
They Claim

Requires claims extraction via CDT

Observed Behavior

Live website analysis pending

Customer Impact

What This Means For You

Organizations using Branch face concentration risk: deep linking and attribution are unified in a single vendor, meaning a Branch outage or data integrity issue simultaneously disrupts user experience and marketing measurement. This creates operational fragility that is difficult to mitigate without maintaining parallel linking infrastructure. Compliance teams must evaluate NativeLink's pasteboard access against their consent architecture. iOS 16+ makes this access visible to users through permission prompts, which can create user confusion and trust erosion if the clipboard access appears unexpected. Organizations in regulated industries should assess whether pasteboard-based attribution aligns with their data minimization requirements. The third-party data sharing model creates downstream liability. When Branch shares device-level data or PII with advertising partners, the organization is responsible for ensuring proper consent and data processing agreements cover these downstream flows. Branch's documentation explicitly states that customers must review each integration partner's terms — placing the compliance burden on the customer rather than the platform.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

Recommended Actions for Branch

  • - Audit Branch SDK privacy controls and ensure Do-Not-Track flags are properly configured for users who have not consented to tracking. - Evaluate NativeLink pasteboard access against your consent framework and consider whether clipboard-based attribution aligns with your privacy posture. - Review all active third-party integrations and verify that data processing agreements cover each partner receiving user data through Branch. - Implement independent attribution validation to cross-reference Branch's credit assignments against server-side conversion data. - Assess concentration risk from unified linking and attribution, and document contingency procedures for Branch service disruptions.

Negotiation Leverage

  • Leverage: Branch competes directly with Adjust, AppsFlyer, Singular, and Kochava for attribution, and with Firebase Dynamic Links and URL shorteners for deep linking. The unified linking-plus-attribution value proposition creates switching costs, but individual capabilities can be replaced. Use the competitive landscape to negotiate data minimization and retention terms.
  • Key questions for Branch: (1) What specific data elements does NativeLink read from the pasteboard beyond the deep link URL? (2) Which third-party integrations require PII in plaintext, and what contractual protections exist for that data downstream? (3) Can we obtain audit logs showing which partners received our users' data through Branch integrations? (4) What is Branch's data retention period for device-level attribution data?
  • Contractual protections to seek: Explicit limitations on pasteboard data access scope; contractual requirement that Branch enforce data minimization with downstream integration partners; right to audit data flows to third-party partners; SLA guarantees covering both linking uptime and attribution data integrity; notification requirements for changes to NativeLink methodology or partner data sharing terms.
IOC Manifest

IOC Manifest

129 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*www.branch.io/wp-content/plugins/branch-testimonial-carousel/build/view.js*
Tracking script
TRACK
*www.branch.io/wp-content/plugins/branch-texture-container/build/mouse-tracking.js*
Tracking script
TRACK
*www.branch.io/wp-content/themes/branch/assets/dist/js/header.js*
Tracking script
TRACK
*www.branch.io/wp-content/plugins/branch-case-study-carousel/build/view.js*
Tracking script
TRACK
*www.branch.io/wp-content/plugins/branch-marketo-forms/build/view.js*
Tracking script
TRACK
*www.branch.io/wp-includes/js/dist/script-modules/block-library/navigation/view.js*
Tracking script
TRACK
*www.branch.io/wp-content/plugins/branch-stat-block/build/stat-carousel.js*
Tracking script
TRACK
*www.branch.io/wp-includes/js/dist/script-modules/interactivity/index.js*
Tracking script
TRACK
*www2.branch.io/js/forms2/js/forms2.js*
Tracking script
TRACK
*www.branch.io/wp-content/plugins/branch-marketo-forms/assets/js/teknkl-form-plus-core-1.0.8.js*
Tracking script
TRACK
*www.branch.io/wp-content/plugins/branch-marketo-forms/assets/js/teknkl-simpledto-2.0.4.js*
Tracking script
TRACK
*www.branch.io/wp-content/plugins/branch-marketo-forms/assets/js/marketo-prefill.js*
Tracking script
TRACK
*www.branch.io/wp-content/plugins/branch-marketo-forms/assets/js/marketo-validation.js*
Tracking script
TRACK
*cdn.branch.io/branch-latest.js*
Tracking script
TRACK
*www2.branch.io/index.php/form/getForm*
Tracking script
TRACK
*www2.branch.io/rs/315-FTT-121/images/free_email_domain_blocking.js*
Tracking script
TRACK
www.branch.io/wp-includes/js/dist/script-modules/interactivity/index.min.js
Auto-extracted from scan
TRACK
www.branch.io/wp-includes/js/dist/script-modules/block-library/navigation/view.min.js
Auto-extracted from scan
TRACK
www.branch.io/wp-content/plugins/branch-testimonial-carousel/build/view.js
Auto-extracted from scan
TRACK
www.branch.io/wp-content/plugins/branch-case-study-carousel/build/view.js
Auto-extracted from scan
TRACK
www.branch.io/wp-content/plugins/branch-marketo-forms/build/view.js
Auto-extracted from scan
TRACK
www.branch.io/wp-content/plugins/branch-stat-block/build/stat-carousel.js
Auto-extracted from scan
TRACK
www.branch.io/wp-content/plugins/branch-texture-container/build/mouse-tracking.js
Auto-extracted from scan
TRACK
www.branch.io/wp-content/themes/branch/assets/dist/js/header.js
Auto-extracted from scan
TRACK
www2.branch.io/js/forms2/js/forms2.min.js
Auto-extracted from scan
TRACK
www.branch.io/wp-content/plugins/branch-marketo-forms/assets/js/teknkl-form-plus-core-1.0.8.js
Auto-extracted from scan
TRACK
www.branch.io/wp-content/plugins/branch-marketo-forms/assets/js/teknkl-simpledto-2.0.4.js
Auto-extracted from scan
TRACK
www.branch.io/wp-content/plugins/branch-marketo-forms/assets/js/marketo-prefill.js
Auto-extracted from scan
TRACK
www.branch.io/wp-content/plugins/branch-marketo-forms/assets/js/marketo-validation.js
Auto-extracted from scan
TRACK
www2.branch.io/index.php/form/getForm
Auto-extracted from scan
TRACK
cdn.branch.io/branch-latest.min.js
Auto-extracted from scan
TRACK
www2.branch.io/rs/315-FTT-121/images/free_email_domain_blocking.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

Branch integrates with the major advertising and analytics ecosystem through its Universal Ads platform. Direct integrations include Meta Ads, Google Ads, Apple Search Ads, Snap, TikTok, Twitter/X, Pinterest, and dozens of additional ad networks and DSPs. Branch also provides integrations with analytics platforms, CRM systems, and marketing automation tools for downstream data consumption. Branch's ecosystem positioning is unique because it controls both the linking infrastructure (how users navigate between web and app) and the measurement layer (how marketing credit is assigned). This means Branch has visibility into the complete user journey from ad click through deep link through in-app conversion — a data position that few other vendors occupy. Branch processes billions of deep links annually, giving it aggregate visibility into cross-app user behavior patterns at scale. Data flows through Branch's ecosystem via SDK callbacks, server-side postbacks, and webhook integrations. For third-party integrations, Branch explicitly notes that many partners require PII in plaintext for their services to function. This creates a data supply chain where user identity and behavioral data passes through Branch to advertising partners with varying data protection standards and retention policies.
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

129 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details