Disabling Unmask at Root for Mobile Apps

At FullStory, we’re committed to protecting your privacy. Due to the personal nature of mobile devices and how ubiquitous they have become in everyday life, FullStory has updated our privacy approach when it comes to masking on Mobile Apps.

TL;DR: Beginning on Tuesday, Aug. 16, 2022, FullStory will automatically begin masking the above selectors, overriding any current unmask rules on those selectors. Sessions captured after Tuesday, Aug. 16, 2022, will be masked automatically until intentional unmasking rules have been implemented. This approach helps protect the privacy of your users and prevents capture of sensitive information. 

What is changing and why?

Beginning Tuesday, Aug. 16, 2022, FullStory will prevent unmasking at root on Mobile Apps sessions by masking selectors and overriding any current unmask rules. Specifically,  it will no longer be possible to unmask the following selectors:

  • On Android
    decorview
  • On iOS
    UIWindow
    UIApplication

Masking impact on captured sessions

When sessions are unmasked, FullStory is able to capture a high level of detail with regards to user interactions. For instance, if a user taps on an unmasked button, we will index that tap and you will be able to search for users who tapped that button by searching for the text it contains. If that same button were masked, the search would need to be modified to search for interactions on the button’s selector instead. 

The impact goes beyond search and segment creation, though. Any segments, dashboards, metrics, and defined events, created prior to Tuesday, Aug. 16, 2022, that rely on the text of unmasked components will no longer show accurate results once the text is masked

Additionally, once this change goes into effect static images uploaded to FullStory at build time will also become masked on previous versions of the SDK. 

Unmasking rules on Mobile Apps 

In order to continue with your current level of insights, there are specific steps to take.

Step 1. We recommend a code-first approach for better control over elements as your app evolves and changes. App developers on your team can begin adding unmask rules to the components and elements of your app in code. For more information, we have a handy article available for you. Alternatively, you may assign an admin on your team to create new unmask rules on the specific elements required for your use case. 

Step 2.  Update your SDK version: Your dev team will first need to implement version 1.28.0 of our SDK into your app.

Step 3.  Have your admin opt in to Unmask Packaged Assets in your Mobile Data Capture settings page within FullStory by turning on “Unmask Packaged Assets.”  In order for this to properly work, your app must be updated to the latest FullStory SDK version 1.28.0. (This is optional).

Image_6-23-2022_at_4.47_PM.jpg

Automatically unmask all built-in image assets. Built-in image assets that are privacy sensitive must be excluded when this setting is enabled.

FAQ

What impact will the “Unmask Packaged Assets” have on my sessions?

  • When image assets are unmasked, every image that is part of the app will be shown unmasked, regardless of whether it is explicitly masked or not. You must exclude the control containing the image asset if you don’t want them to be shown.
  • When image assets are masked by default, every image that is part of the app will be shown masked. You can optionally unmask an image asset by changing the privacy rule on the control that contains the image.

We currently have additional exclusion rules or other masking rules in place. Will these change?

  • No. These changes only impact static assets (e.g. images) that are bundled and packaged with an app at build time.
  • If you have additional exclusion rules in place, they will remain in place and continue to exclude the element.
  • If you have any other explicit masking or unmasking rules in place, they will continue to function as expected. For packaged assets, see the previous section.

What will happen if I do nothing?

  • Any session (with the above selectors) captured after Aug. 16, 2022, will be masked if no unmask rules are in place.

Please review our Mobile Privacy Documentation for more information on privacy rules and our recommendations. For specific technical questions regarding how to create or implement masking rules, please contact mobile-support@fullstory.com.

Need to get in touch with us?

The FullStory Team awaits your every question.

Contact us