To protect your mobile application's security and your users' data privacy, New Relic Mobile only records performance data. We do not collect any data used or stored by the monitored app.
This document describes additional security considerations for mobile apps. For more information about New Relic's security measures, see our security and data privacy documentation, or visit the New Relic security website.
The New Relic Mobile product is part of your iOS or Android app and lives within the application's "sandbox," so it cannot access anything other than performance data from your mobile app. We do not collect performance data about the device itself, such as battery level.
Our SDK agent collects and sends specific data to the New Relic collector, including:
- Length of application session
- URLs of HTTP requests, along with HTTP status code, response time, and size of the request and response body
- Operating system error code for network failures (HTTP requests that fail to complete)
- The first 2KB of the response body when the HTTP request receives a
5xxresponse status code
- A stack trace when the HTTP request receives a
5xxresponse status code (Android only)
- Wireless carrier's name
- The device's model name and manufacturer, and its operating system version
- Certain package, class, method, and thread names
- A unique instance identifier
New Relic Mobile sends all data using HTTPS encryption and validates the SSL certificate of the New Relic collector. This will prevent common data sniffing and server spoofing attacks. The agent removes the query string, fragment identifier, username, and password from each URL before sending the data.
Our Mobile SDK agent assigns a unique identifier to each installed app instance in order to track discrete installs, identify recurring sessions, and correlate performance over time.
|Android||The Mobile Android agent generates a cryptographically strong UUID and stores it in the app's
|React Native||The React Native agent generates the same identifiers that are used for Android and iOS mobile applications.|
No remote updates
New Relic Mobile does not have the ability to update mobile agents remotely. Using the agent will not introduce any code into your mobile app without your knowledge.
Our Mobile SDK agent stores configuration information using your app's normal preferences or settings API on the mobile device. This configuration includes your:
- Application token
- Application version number
- New Relic Mobile SDK agent version number
- Settings such as the maximum number of HTTP requests to track per minute
Performance data is buffered in memory but never written to the device's storage.
Server-side data storage for mobile apps is handled in the same way as all other applications monitored by New Relic Mobile. For more information, see New Relic's security documentation about hosting and data storage.
In general, we retain performance data according to the more generous time period of either your web or your mobile subscription. We also retain aggregate records of the number of active instances of your application.
Instrumentation added to your code
Our Mobile SDK agent injects code into certain method calls within your application in order to collect performance data. This can have the effect of adding stack frames to your application's call graph where our code executes. This allows us to time and monitor the inputs and outputs of various APIs.
This added code has been reviewed and tested for security-related flaws, and it incorporates best practices related to secure coding. Because our code runs within your application's process, it is subject to the same rights and restrictions as your own code.
In addition, Mobile's iOS agent registers an NSURLProtocol handler to track NSURLConnection-based networking activity. This instrumentation is compatible with other custom NSURLProtocol handlers your application may register. The handler is registered within a single application process, so it is unable to monitor networking requests originating from other applications or the underlying operating system.
User's IP address
Our Mobile SDK agent captures the user's IP address to enrich data for additional user information. The IP address is used as a lookup value that maps to additional details and allows our customers to diagnose performance issues. IP address lookup values include:
- Country name
- Country code
- Postal code
- Area code
New Relic does not retain the user's IP address after the attributes have been mapped. The IP address value is cached in memory for up to six hours before being discarded.