cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Encryption at rest on mobile device

jcmanke
Visitor

For mobile application monitoring, is user session data encrypted when at rest before it is uploaded to Dynatrace?

In the documentation I read, I found the following info:

Data is encrypted in transit - https://docs.dynatrace.com/docs/shortlink/data-security-controls#transit 

Data that has been uploaded to Dynatrace is encrypted with AES-256 when at rest. - https://docs.dynatrace.com/docs/shortlink/data-security-controls#rest

OneAgent will discard data if it isn't uploaded to Dynatrace within 10 minutes - https://docs.dynatrace.com/docs/shortlink/oneagent-sdk-android-communication#offline-monitoring 

OneAgent tries to upload to Dynatrace in two-minute intervals by default - https://docs.dynatrace.com/docs/shortlink/cost-and-traffic-control-mobile#network-bandwidth-consumpt... 

 

What I am looking for is information on the security of OneAgent data during that 2-10 minutes between uploads. My use case is an application that may include personally identifiable information (PII) and protected health information (PHI) so we need to make sure it is secure before it is sent to Dynatrace in addition to in-transit and after.

 

2 REPLIES 2

Patrick_H
Dynatrace Leader
Dynatrace Leader

Data in mobile agent is locally cached in an SQLite DB. 
The database is not encrypted as there are challenges with creating a secure not extractable key for older Android API version that Dynatrace supports.
For iOS turning on Data Protection for the app will bring improved security as files are then encrypted and inaccessible when the device is locked (https://developer.apple.com/library/content/documentation/IDEs/Conceptual/AppDistributionGuide/Addin...).

 

Outlook: for grail data we have local database encryption on the roadmap

 

Follow-up Question: is it really necessary to have health data in the monitoring data to evaluate application performance or help troubleshooting? Collected information especially for PHI should be kept to a minimum necessary.

iOS help: https://www.dynatrace.com/support/help/shortlink/ios-hub

This is for a medical device application. It's unlikely that we would explicitly send PHI such as a device serial number to Dynatrace, but something like a crash report stack trace could incidentally include PHI by indicating what type of device the user has.

Featured Posts