How to customize masking rules from the Data Masking tab (Apps)

Customize masking rules in Session Replay for your mobile application to prevent the collection of your end-users' personal data. Available in the Contentsquare Console, the Data Masking tab allows you to quickly and easily set image and text masking rules, or even apply full app or SDK masking if necessary.

New to data masking for Session Replay for mobile apps? Visit this article to learn more.

How the data masking tab works

• Default masking: The text and image masking ‘defined by the API of the SDK’ options are selected and applied by default, unless the other options are applied. If Full masking is in place for all app or SDK versions, this overrides all other masking configurations.
• Data masking rules already configured through APIs: If you have data masking rules already configured through our APIs, these remain in place unless you choose to mask all text and/or images, or apply Full Masking. In that case, the API rules are overridden to allow for a stricter/fuller masking to take effect.
• Full masking already configured: If you already have full masking in place, for all app or SDK versions, you will first need to remove specific masked versions you want to apply custom masking to, or use the toggle to disable all masked versions.
  • If you have full masking in place for specific app or SDK versions, custom text and image masking will only apply to the versions without full masking in place.
• When changes take effect: Changes to data masking are not retroactive, and only apply from the moment the end-user has restarted your app, or brought it back to the foreground. The same applies for full masking settings.

How to customize text and image masking rules

1. Go to the Contentsquare Console by clicking your profile icon, followed by ‘Console’.
2. Click the ‘Data masking’ tab.
3. Select your preferred image and text masking configurations.
4. Click ‘Apply’ to save your changes. You will be prompted to review and ‘Continue’ with your changes to confirm.
5. Once returned to the main data masking page, check that there is no on-screen error banner so you can be sure your configuration was successfully applied.

Image masking

The following options are available to choose from in the Image Masking section.

Mask images defined by the API of the SDK

Images defined by the API masking rules of the SDK are masked. If custom API masking rules are not defined, all images are masked.

Mask all images

All images are masked, overriding API masking rules.

Unmask all images

All images are unmasked, except those specified by custom API masking rules.

Text masking

The following options are available to choose from in the Text Masking section.

Mask text defined by the API of the SDK

Text defined by the API rules of the SDK is masked. If custom API masking rules are not defined, all text is masked

Mask all text

All text is masked, overriding API masking rules.

Mask custom text boxes

This enables the masking of custom patterns while unmasking all other texts. When this toggle is enabled:

• The text masked by the local masking API remain masked.
• The text input fields are masked.
• The email addresses and credit card numbers are masked.
• All other numbers can be masked by checking the “All other numbers” checkbox.
• Additional custom patterns can be defined to mask specific texts. This is done by selecting the “Text patterns (RegEx)” checkbox and by adding up to 5 regular expressions patterns.

Text pattern examples

This configuration allows you to mask data by defining text patterns, using up to five (5) Regular Expressions (RegEx).

Example:

If the following Regex is used to mask Australian postal codes: \d{4} then any text box containing an Australian postal code will be fully masked.

For instance, if a text box contains - Ground Floor, 26 Lee Street, Sydney NSW 2000 -
the entire content of the text box will be masked (meaning the full address is hidden), because "2000" is an Australian postal code that matches the \d{4} Regex.

Other example patterns:

• Masking dates in DD/MM/YYYY format (e.g., 31/12/2025) 
  (0[1-9]|[12][0-9]|3[01])\/(0[1-9]|1[0-2])\/\d{4}
• Masking international phone numbers (e.g., +491701234567, 447911123456)
  \+?[1-9]\d{1,14}

Text pattern input validation

• The RegEx is validated as it’s entered, to ensure correct syntax.
• After new text pattern masking configurations are applied, the SDK validates that the Regex processing will not impact mobile app performance.
• If the validation test is unsuccessful—meaning it takes more than 100ms to process the Regex on 20 common texts—the new text pattern masking configuration will not be applied. In such cases, all text remains masked to ensure full data privacy and to prevent any negative impact on your app’s performance.

How to apply full data masking by app and SDK versions

This is primarily used if you know, or have concerns, that unnecessary personal data has been exposed, as it allows you to act quickly by applying full masking to specific app versions (and overriding your existing masking configurations).

1. From the Data Masking tab, select ‘Set up full masking’.
2. To mask all versions, click the ‘Mask all eligible versions’ toggle.
3. To mask only specific app or SDK versions, enter the version(s) you want to mask in the respective fields and hit the Enter/Return key on your keyboard.

Version hierarchy

Versions are compared as strings in alphabetical order, with some additional rules for numbers and “nothing”:

• Numbers (0-9) are considered before/lesser than letters (a-z)
  • 4.1.1-0 < 4.1.1-alpha (because the number “0” comes before letters “alpha”)
  • 4.1.1-alpha < 4.1.1-beta (because “alpha” comes before “beta” alphabetically)
• “Nothing” (e.g. a version without a suffix) is considered inferior to anything else, for example:
  • 4.1.1 < 4.1.1-0 (because “nothing” comes before the suffix/anything else)