Security for mobile apps

To protect your mobile application's security and your users' data privacy, New Relic only records performance data, as described in this document. We do not collect any data used or stored by the monitored app. For more information about New Relic's security measures, see our security and data privacy documentation, or visit the New Relic security website.

Data collection

When you install New Relic, our mobile monitoring capabilities become part of your iOS or Android app. These capabilities live within your application's "sandbox," so they cannot access anything other than performance data from your mobile app. We do not collect performance data about the device itself, such as battery level.

Our mobile SDK agent collects and sends specific data to the New Relic collector, including:

Mobile data collected Comments
Devices
  • Length of application session
  • Wireless carrier's name
  • The device's model name and manufacturer, and its operating system version
  • Certain package, class, method, and thread names
  • A unique instance identifier
Requests and responses
  • URLs of HTTP requests, along with HTTP status code, response time, and size of the request and response body
  • Operating system error code for network failures (HTTP requests that fail to complete)
  • The first 2KB of the response body when the HTTP request receives a 4xx or 5xx response status code
  • Android only: A stack trace when the HTTP request receives a 4xx or 5xx response status code

The agent sends all data using HTTPS encryption and validates the collector's SSL certificate. This prevents common data sniffing and server spoofing attacks. The agent also removes the query string, fragment identifier, username, and password from each URL before sending the data.

Secure data endpoints

Our mobile SDK agent sends harvested data to the collectors for processing. You can redirect those data posts to proxy or delegate servers for secure data handling.

Unique identifiers

Our mobile SDK agent assigns a unique identifier to each installed app instance in order to track discrete installs, identify recurring sessions, and correlate performance over time.

Mobile agent Identifiers
Android

Our Android agent generates a cryptographically strong UUID and stores it in the app's SharedPreferences. For more information, see our Android compatibility and requirements documentation.

iOS

The security measures used for iOS depend on the agent version.

  • In versions 5.3.5 or higher, the iOS agent uses the IdentifierForVendor property to provide a unique device ID.
  • In versions 5.3.4 or lower, the iOS agent used the SecureUDID open source library. SecureUDID is used by many third party libraries and is an accepted industry standard that does not violate Apple App store guidelines. SecureUDID does not use device hardware identifiers such as IMEI.

For more information, see our iOS compatibility and requirements documentation.

No remote updates

New Relic does not have the ability to update mobile agents remotely. Using the agent will not introduce any code into your mobile app without your knowledge.

Data storage

Our mobile SDK agent stores configuration information using your app's normal preferences or settings API on the mobile device. This configuration includes your:

  • Application token
  • Application version number
  • Android or iOS SDK agent version number
  • Settings such as the maximum number of HTTP requests to track per minute

Performance data is buffered in memory. It is never written to the device's storage.

Server-side data storage for mobile apps is handled in the same way as all other applications monitored by New Relic. For more information, see our security documentation about hosting and data storage.

In general, we retain performance data according to the more generous time period of either your web or your mobile subscription. We also retain aggregate records of the number of active instances of your application.

Instrumentation added to your code

Our mobile SDK agent injects code into certain method calls within your application in order to collect performance data. This can have the effect of adding stack frames to your application's call graph where our code executes. This allows us to time and monitor the inputs and outputs of various APIs.

This added code has been reviewed and tested for security-related flaws, and it incorporates best practices related to secure coding. Because our code runs within your application's process, it is subject to the same rights and restrictions as your own code.

In addition, our iOS agent registers an NSURLProtocol handler to track NSURLConnection-based networking activity. This instrumentation is compatible with other custom NSURLProtocol handlers your application may register. The handler is registered within a single application process, so it is unable to monitor networking requests originating from other applications or the underlying operating system.

User's IP address

Our mobile SDK agent captures the user's IP address to enrich data for additional user information. The IP address is used as a lookup value that maps to additional details and allows our customers to diagnose performance issues. IP address lookup values include:

  • App name
  • Country code
  • Region
  • Postal code
  • Latitude
  • Longitude
  • Area code

For more information about events and attributes for mobile monitoring, see our data dictionary.

New Relic does not retain the user's IP address after the attributes have been mapped. The IP address value is cached in memory for up to six hours before being discarded. If you have questions or concerns about this use of IP addresses with regards to your own regulatory obligations for notice and consent, please contact your privacy or legal teams.

For more help

If you need more help, check out these support and learning resources: