Security for mobile apps

To protect your mobile application's security and your users' data privacy, New Relic Mobile only records performance data. We do not collect any data used or stored by the monitored app.

This document describes additional security considerations for mobile apps. For more information about New Relic's security measures, see our security and data privacy documentation, or visit the New Relic security website.

Data collection

The New Relic Mobile product is part of your iOS or Android app and lives within the application's "sandbox," so it cannot access anything other than performance data from your mobile app. We do not collect performance data about the device itself, such as battery level.

Our SDK agent collects and sends specific data to the New Relic collector, including:

  • Length of application session
  • URLs of HTTP requests, along with HTTP status code, response time, and size of the request and response body
  • Operating system error code for network failures (HTTP requests that fail to complete)
  • The first 2KB of the response body when the HTTP request receives a 4xx or 5xx response status code
  • A stack trace when the HTTP request receives a 4xx or 5xx response status code (Android only)
  • Wireless carrier's name
  • The device's model name and manufacturer, and its operating system version
  • Certain package, class, method, and thread names
  • A unique instance identifier

New Relic Mobile sends all data using HTTPS encryption and validates the SSL certificate of the New Relic collector. This will prevent common data sniffing and server spoofing attacks. The agent removes the query string, fragment identifier, username, and password from each URL before sending the data.

Unique identifiers

Our Mobile SDK agent assigns a unique identifier to each installed app instance in order to track discrete installs, identify recurring sessions, and correlate performance over time.

Mobile agent Comments
iOS

Agent versions use different security measures.

  • In versions 5.3.5 or higher, the Mobile iOS agent uses the IdentifierForVendor property to provide a unique device ID.
  • In versions 5.3.4 or lower, Mobile for iOS used the SecureUDID open source library. SecureUDID is used by many third party libraries and is an accepted industry standard that does not violate Apple App store guidelines. SecureUDID does not use device hardware identifiers such as IMEI.

For more information, see the iOS compatibility and requirements documentation.

Android

The Mobile Android agent generates a cryptographically strong UUID and stores it in the app's SharedPreferences. For more information, see the Android compatibility and requirements documentation.

React Native

The React Native agent generates the same identifiers that are used for Android and iOS mobile applications, ensuring the same levels of data security that our other Mobile products provide. For more information, see the React Native compatibility and requirements documentation.

No remote updates

New Relic Mobile does not have the ability to update mobile agents remotely. Using the agent will not introduce any code into your mobile app without your knowledge.

Data storage

Our Mobile SDK agent stores configuration information using your app's normal preferences or settings API on the mobile device. This configuration includes your:

  • Application token
  • Application version number
  • New Relic Mobile SDK agent version number
  • Settings such as the maximum number of HTTP requests to track per minute

Performance data is buffered in memory but never written to the device's storage.

Server-side data storage for mobile apps is handled in the same way as all other applications monitored by New Relic Mobile. For more information, see New Relic's security documentation about hosting and data storage.

In general, we retain performance data according to the more generous time period of either your web or your mobile subscription. We also retain aggregate records of the number of active instances of your application.

Instrumentation added to your code

Our Mobile SDK agent injects code into certain method calls within your application in order to collect performance data. This can have the effect of adding stack frames to your application's call graph where our code executes. This allows us to time and monitor the inputs and outputs of various APIs.

This added code has been reviewed and tested for security-related flaws, and it incorporates best practices related to secure coding. Because our code runs within your application's process, it is subject to the same rights and restrictions as your own code.

In addition, Mobile's iOS agent registers an NSURLProtocol handler to track NSURLConnection-based networking activity. This instrumentation is compatible with other custom NSURLProtocol handlers your application may register. The handler is registered within a single application process, so it is unable to monitor networking requests originating from other applications or the underlying operating system.

User's IP address

Our Mobile SDK agent captures the user's IP address to enrich data for additional user information. The IP address is used as a lookup value that maps to additional details and allows our customers to diagnose performance issues. IP address lookup values include:

  • App name
  • Country code
  • Region
  • Postal code
  • Latitude
  • Longitude
  • Area code

For more information about Mobile events and attributes, see New Relic's data dictionary.

New Relic does not retain the user's IP address after the attributes have been mapped. The IP address value is cached in memory for up to six hours before being discarded.

Please consult with your privacy or legal teams with regards to your notice and consent regulatory obligations for this use of IP addresses.

For more help

Recommendations for learning more: