topic Re: Encryption at rest on mobile device in Real User Monitoring

Encryption at rest on mobile device

jcmanke — Wed, 28 Aug 2024 20:46:03 GMT

For mobile application monitoring, is user session data encrypted when at rest before it is uploaded to Dynatrace?

In the documentation I read, I found the following info:

Data is encrypted in transit - https://docs.dynatrace.com/docs/shortlink/data-security-controls#transit

Data that has been uploaded to Dynatrace is encrypted with AES-256 when at rest. - https://docs.dynatrace.com/docs/shortlink/data-security-controls#rest

OneAgent will discard data if it isn't uploaded to Dynatrace within 10 minutes - https://docs.dynatrace.com/docs/shortlink/oneagent-sdk-android-communication#offline-monitoring

OneAgent tries to upload to Dynatrace in two-minute intervals by default - https://docs.dynatrace.com/docs/shortlink/cost-and-traffic-control-mobile#network-bandwidth-consumption

What I am looking for is information on the security of OneAgent data during that 2-10 minutes between uploads. My use case is an application that may include personally identifiable information (PII) and protected health information (PHI) so we need to make sure it is secure before it is sent to Dynatrace in addition to in-transit and after.

Re: Encryption at rest on mobile device

Patrick_H — Thu, 29 Aug 2024 10:13:26 GMT

Data in mobile agent is locally cached in an SQLite DB.
The database is not encrypted as there are challenges with creating a secure not extractable key for older Android API version that Dynatrace supports.
For iOS turning on Data Protection for the app will bring improved security as files are then encrypted and inaccessible when the device is locked (https://developer.apple.com/library/content/documentation/IDEs/Conceptual/AppDistributionGuide/AddingCapabilities/AddingCapabilities.html).

Outlook: for grail data we have local database encryption on the roadmap

Follow-up Question: is it really necessary to have health data in the monitoring data to evaluate application performance or help troubleshooting? Collected information especially for PHI should be kept to a minimum necessary.

Re: Encryption at rest on mobile device

jcmanke — Thu, 29 Aug 2024 19:18:37 GMT

This is for a medical device application. It's unlikely that we would explicitly send PHI such as a device serial number to Dynatrace, but something like a crash report stack trace could incidentally include PHI by indicating what type of device the user has.