Enable privacy protection in the Connect Android SDK

When capturing user behavior data, you must take measures to exclude personally identifiable information (PII) such as credit card numbers or home addresses.

Before you begin

We recommend assigning unique accessibility labels (android:contentDescription) or static IDs (android:id) to the Views that require privacy protection.

Sample content description in an Android app

Important:

  • Using the same accessibility labels across the iOS and Android versions of an app creates consistency and is considered an industry standard. For more information, see Mobile Accessibility at W3C.
  • The IDs work for all Views. The accessibility labels can be used for an ImageView, ImageButton, CheckBox, or other View that conveys information graphically. Android advises against using contentDescription for EditTexts or editable TextViews.
  • If a UI element isn't assigned an accessibility label or static ID, the library uses its XPath. You can enable privacy protection for the XPath, but it will be necessary to convert it to a regular expression first.

Instructions

  1. Copy the TealeafLayoutConfig.json from our sample app and paste it to the assets directory in your project.
  2. In the masking object, set HasMasking to true.
  3. Add the MaskAccessibilityLabelList parameter and populate it with the accessibility labels of the Views that require privacy protection.
  4. If applicable, populate the MaskIdList with the IDs of the Views that require privacy protection.
{
  "Masking": {
    "HasMasking": true,
    "HasCustomMask": true,
    "Sensitive": {
      "capitalCaseAlphabet": "X",
      "number": "9",
      "smallCaseAlphabet": "x",
      "symbol": "#"
    },
    "MaskIdList": [],
    "MaskAccessibilityLabelList": [
      "privacyTest"
    ]
  }
}
  1. (recommended) Run the file through a JSON validator.

How it works

The masking object in TealeafLayoutConfig.json contains all properties related to PII protection.

PropertyValuesDescription
HasMaskingBooleanSet the value to true to allow masking.
HasCustomMasktrueProtected text is replaced with a fixed string (xxxxx).

⚠️ In the current version, the default mask cannot be disabled and customized.
MaskAccessibilityLabelListArray of stringThe accessibility labels (android:contentDescription) of the Views that require privacy protection
MaskIdListArray of stringThe IDs (android:id) of Views that require privacy protection.

All XPath IDs must be converted to regular expressions . For example, you can set the regular expression as ^9[0-9][0-9][0-9]$ to match all the controls whose ID has 4 characters.
MaskValueListArray of stringAny text displayed on a mobile screen. It doesn't matter which View and attribute it is associated with.

⚠️ We don't recommend using this option to identify Views as it can result into performance issues on busy screens.

You can create a general privacy rule that applies to all screens of your app. In that case, use the AutoLayout.GlobalScreenSettings object. To create a rule for a particular screen, add the AutoLayout.ScreenName object where ScreenName is the name of the screen. Feel free to combine general and screen-specific rules within the same configuration file.

{
  "AutoLayout": {
    "GlobalScreenSettings": {
      "Masking": {
        "HasMasking": true,
        "HasCustomMask": true,
        "Sensitive": {
          "capitalCaseAlphabet": "X",
          "number": "9",
          "smallCaseAlphabet": "x",
          "symbol": "#"
        },
        "MaskIdList": [
          "^9[0-9][0-9][0-9]$"
        ],
        "MaskAccessibilityIdList": [
          "loginName",
          "securityQuestion"
        ],
        "MaskAccessibilityLabelList": [
          "Health conditions",
          "Medications taken"
        ]
      }
    }
  },
  "PaymentViewController": {
    "Masking": {
      "HasMasking": true,
      "HasCustomMask": true,
      "Sensitive": {
        "capitalCaseAlphabet": "X",
        "number": "9",
        "smallCaseAlphabet": "x",
        "symbol": "#"
      },
      "MaskIdList": [],
      "MaskAccessibilityIdList": "pii",
      "MaskAccessibilityLabelList": [
        "Card Number",
        "Billing Address"
      ]
    }
  }
}

Test the settings

To make sure your new rule is working correctly, run the app and enter something into the fields you have masked. Then find the session in Connect and check how the input is displayed.

Masked input example

Protected text input in session replay