Security for mobile apps

To protect your mobile application's security and your users' privacy, the New Relic Mobile product only records performance data. New Relic Mobile does not collect any data used or stored by the monitored app.

This document describes additional security considerations for mobile apps. For more information about New Relic's security measures, see our security and privacy documentation, or visit the New Relic security website.

Data collection

The New Relic Mobile product is part of your iOS or Android app and lives within the application's "sandbox," so it cannot access anything other than performance data from your mobile app. The New Relic Mobile SDK agent collects and sends specific data to the New Relic collector, including:

  • Length of application session
  • URLs of HTTP requests, along with HTTP status code, response time, and size of the request and response body
  • Operating system error code for network failures (HTTP requests that fail to complete)
  • The first 2KB of the response body when the HTTP request receives a 4xx or 5xx response status code
  • A stack trace when the HTTP request receives a 4xx or 5xx response status code (Android only)
  • Wireless carrier's name
  • The device's model name and manufacturer, and its operating system version
  • Certain package, class, method, and thread names
  • A unique instance identifier

New Relic Mobile sends all data using HTTPS encryption and validates the SSL certificate of the New Relic collector. This will prevent common data sniffing and server spoofing attacks. The agent removes the query string, fragment identifier, username, and password from each URL before sending the data.

Unique identifiers

The New Relic Mobile agent assigns a unique identifier to each installed app instance in order to track discrete installs, identify recurring sessions, and correlate performance over time.

Mobile agent Comments
iOS
  • In versions 5.3.5 or higher, the Mobile iOS agent uses the IdentifierForVendor property to provide a unique device ID.
  • In versions 5.3.4 or lower, Mobile for iOS used the SecureUDID open source library. SecureUDID is used by many third party libraries and is an accepted industry standard that does not violate Apple App store guidelines. SecureUDID does not use device hardware identifiers such as IMEI.
Android The Mobile Android agent generates a cryptographically strong UUID and stores it in the app's SharedPreferences.

No remote updates

New Relic Mobile does not have the ability to update mobile agents remotely. Using the agent will not introduce any code into your mobile app without your knowledge.

Data storage

The New Relic Mobile SDK agent stores configuration information using your app's normal preferences or settings API on the mobile device. This configuration includes your:

  • Application token
  • Application version number
  • New Relic Mobile SDK agent version number
  • Settings such as the maximum number of HTTP requests to track per minute

Performance data is buffered in memory but never written to the device's storage.

Server-side data storage for mobile apps is handled in the same way as all other applications monitored by New Relic Mobile. For more information, see New Relic's security documentation about hosting and data storage.

In general, New Relic Mobile retains performance data according to the more generous time period of either your web or your mobile subscription. New Relic Mobile also retains aggregate records of the number of active instances of your application.

Instrumentation added to your code

The New Relic Mobile SDK agent injects code into certain method calls within your application in order to collect performance data. This can have the effect of adding stack frames to your application's call graph in which New Relic Mobile code executes to time and monitor the inputs and outputs of various APIs.

This added code has been reviewed and tested for security-related flaws, and it incorporates best practices related to secure coding. As New Relic Mobile code runs within your application's process, it is subject to the same rights and restrictions as your own code.

In addition, the iOS agent for New Relic Mobile registers an NSURLProtocol handler to track NSURLConnection-based networking activity. This instrumentation is compatible with other custom NSURLProtocol handlers your application may register. The handler is registered within a single application process, so it is unable to monitor networking requests originating from other applications or the underlying operating system.

User's IP address

The New Relic Mobile agent captures the user's IP address to enrich data for additional user information. The IP address is used as a lookup value that maps to additional details and allows New Relic customers to diagnose performance issues. IP address lookup values include:

  • Country name
  • Country code
  • City
  • Region
  • Postal code
  • Latitude
  • Longitude
  • Area code

New Relic does not retain the user's IP address after the attributes have been mapped. The IP address value is cached in memory for up to six hours before being discarded.

For more help

Recommendations for learning more: