To protect your mobile application's security and your users' data privacy, New Relic only records performance data, as described in this document. We do not collect any data used or stored by the monitored app. For more information about New Relic's security measures, see our security and data privacy documentation, or visit the New Relic security website.
When you install New Relic, our mobile monitoring capabilities become part of your iOS or Android app. These capabilities live within your application's "sandbox," so they cannot access anything other than performance data from your mobile app. We do not collect performance data about the device itself, such as battery level.
Our mobile SDK agent collects and sends specific data to the New Relic collector, including:
Mobile data collected
Requests and responses
The agent sends all data using HTTPS encryption and validates the collector's SSL certificate. This prevents common data sniffing and server spoofing attacks. The agent also removes the query string, fragment identifier, username, and password from each URL before sending the data.
Secure data endpoints
Our mobile SDK agent sends harvested data to the collectors for processing. You can redirect those data posts to proxy or delegate servers for secure data handling.
- Android: You can use APIs to specify the URI authority of harvest and crash collector data endpoints. For more information, see the Android agent configuration and feature flags documentation.
- iOS: For more information, see the iOS agent configuration and feature flags documentation.
Our mobile SDK agent assigns a unique identifier to each installed app instance in order to track discrete installs, identify recurring sessions, and correlate performance over time.
Our Android agent generates a cryptographically strong UUID and stores it in the app's
The security measures used for iOS depend on the agent version.
No remote updates
New Relic does not have the ability to update mobile agents remotely. Using the agent will not introduce any code into your mobile app without your knowledge.
Our mobile SDK agent stores configuration information using your app's normal preferences or settings API on the mobile device. This configuration includes your:
- Application token
- Application version number
- Android or iOS SDK agent version number
- Settings such as the maximum number of HTTP requests to track per minute
Performance data is buffered in memory. It is never written to the device's storage.
Server-side data storage for mobile apps is handled in the same way as all other applications monitored by New Relic. For more information, see our security documentation about hosting and data storage.
In general, we retain performance data according to the more generous time period of either your web or your mobile subscription. We also retain aggregate records of the number of active instances of your application.
Instrumentation added to your code
Our mobile SDK agent injects code into certain method calls within your application in order to collect performance data. This can have the effect of adding stack frames to your application's call graph where our code executes. This allows us to time and monitor the inputs and outputs of various APIs.
This added code has been reviewed and tested for security-related flaws, and it incorporates best practices related to secure coding. Because our code runs within your application's process, it is subject to the same rights and restrictions as your own code.
In addition, our iOS agent registers an NSURLProtocol handler to track NSURLConnection-based networking activity. This instrumentation is compatible with other custom NSURLProtocol handlers your application may register. The handler is registered within a single application process, so it is unable to monitor networking requests originating from other applications or the underlying operating system.
User's IP address
Our mobile SDK agent captures the user's IP address to enrich data for additional user information. The IP address is used as a lookup value that maps to additional details and allows our customers to diagnose performance issues. IP address lookup values include:
- App name
- Country code
- Postal code
- Area code
For more information about events and attributes for mobile monitoring, see our data dictionary.
New Relic does not retain the user's IP address after the attributes have been mapped. The IP address value is cached in memory for up to six hours before being discarded. If you have questions or concerns about this use of IP addresses with regards to your own regulatory obligations for notice and consent, please contact your privacy or legal teams.