Clock Tampering Detection
Protection Module: ClockTampering
Available For
Android (HTTP time APIs only) Desktop Java (HTTP time APIs + NTP servers)
How It Works
The Clock Tampering Detection module identifies attempts to manipulate the device's system clock. Clock tampering is commonly used to bypass time-based security mechanisms, exploit trial periods, or commit transaction fraud. The module uses multiple independent time sources to detect inconsistencies indicating tampering.
Detection Techniques
HTTP Time API Comparison (Android & Desktop):
- worldtimeapi.org: Fetches UTC time from public API
- timeapi.io: Alternative time source for consensus
- worldclockapi.com: Additional verification API
NTP Server Comparison (Desktop Only):
- time.google.com: Google's NTP server
- time.windows.com: Microsoft's NTP server
- pool.ntp.org: Public NTP pool
Time Consistency Analysis:
- Cached Reference Time: Maintains historical reference for offline detection
- Monotonic Clock Comparison: Compares
System.nanoTime()(Android) or equivalent against wall clock - Absolute Time Difference: Detects forward/backward clock jumps exceeding threshold
- Multiple Source Consensus: Uses median of multiple sources for accuracy
Confidence Scoring:
- Fresh API response: confidence 0.95
- Cached reference time: confidence 0.85
Default Threshold: 86400 seconds (24 hours) Default Detection Interval: 5 minutes
JSON Configuration
JSON
{
"protections": [
{
"type": "ClockTampering",
"action": "close",
"intervalMs": 300000
}
]
}{
"protections": [
{
"type": "ClockTampering",
"action": "close",
"intervalMs": 300000
}
]
}Code-Based Configuration
Kotlin
Kotlin
import com.bytehide.monitor.Monitor
import com.bytehide.monitor.core.action.ActionType
import com.bytehide.monitor.core.protection.ProtectionModuleType
Monitor.configure { config ->
config.addProtection(
ProtectionModuleType.CLOCK_TAMPERING,
ActionType.CLOSE,
300000
)
}import com.bytehide.monitor.Monitor
import com.bytehide.monitor.core.action.ActionType
import com.bytehide.monitor.core.protection.ProtectionModuleType
Monitor.configure { config ->
config.addProtection(
ProtectionModuleType.CLOCK_TAMPERING,
ActionType.CLOSE,
300000
)
}Java
Java
import com.bytehide.monitor.Monitor;
import com.bytehide.monitor.core.action.ActionType;
import com.bytehide.monitor.core.protection.ProtectionModuleType;
Monitor.configure(config -> {
config.addProtection(
ProtectionModuleType.CLOCK_TAMPERING,
ActionType.CLOSE,
300000
);
});import com.bytehide.monitor.Monitor;
import com.bytehide.monitor.core.action.ActionType;
import com.bytehide.monitor.core.protection.ProtectionModuleType;
Monitor.configure(config -> {
config.addProtection(
ProtectionModuleType.CLOCK_TAMPERING,
ActionType.CLOSE,
300000
);
});Available Actions
| Action | Behavior | Recommended For |
|---|---|---|
| Close | Terminate application immediately | Production apps with critical IP |
| Log | Record incident and continue | Development, analytics |
| Erase | Securely delete data then terminate | Financial, healthcare apps |
| Custom | Execute custom handler | Enterprise integrations |
| None | Detect only, no action | Testing configurations |
See Actions for detailed action documentation.
When to Use
Enable Clock Tampering Detection when:
- Building subscription or trial-based applications
- Protecting against trial extension fraud
- Securing transaction processing and payment systems
- Implementing time-locked content or promotional offers
- Detecting abuse of time-based features
- Preventing token expiration bypass attacks
- Enforcing time-based licensing compliance
Code Examples
Kotlin - Basic Integration
Kotlin
import com.bytehide.monitor.Monitor
import com.bytehide.monitor.core.action.ActionType
import com.bytehide.monitor.core.protection.ProtectionModuleType
class MainActivity : AppCompatActivity() {
override fun onCreate(savedInstanceState: Bundle?) {
super.onCreate(savedInstanceState)
Monitor.configure { config ->
config.addProtection(
ProtectionModuleType.CLOCK_TAMPERING,
ActionType.CLOSE,
300000
)
}
setContentView(R.layout.activity_main)
}
}import com.bytehide.monitor.Monitor
import com.bytehide.monitor.core.action.ActionType
import com.bytehide.monitor.core.protection.ProtectionModuleType
class MainActivity : AppCompatActivity() {
override fun onCreate(savedInstanceState: Bundle?) {
super.onCreate(savedInstanceState)
Monitor.configure { config ->
config.addProtection(
ProtectionModuleType.CLOCK_TAMPERING,
ActionType.CLOSE,
300000
)
}
setContentView(R.layout.activity_main)
}
}Kotlin - Custom Action with Time Deviation Analysis
Kotlin
Monitor.configure { config ->
config.registerCustomAction("clock-tampering-handler") { threat ->
val threatType = threat.getThreatType()
val confidence = threat.getConfidence()
val metadata = threat.getMetadata()
Log.e("Security", "Time tampering detected: $threatType")
Log.d("Metadata", "Confidence: $confidence")
val timeDeviation = metadata["time_deviation_seconds"] as? Long ?: 0
Log.w("Time", "System clock off by $timeDeviation seconds")
when {
timeDeviation > 86400 -> {
// More than 24 hours: likely tampering
Log.e("Security", "Major time deviation detected. Exiting.")
secureDataAndExit()
}
timeDeviation > 3600 -> {
// More than 1 hour: suspicious
Log.w("Security", "Significant time deviation. Restricting features.")
restrictTimeBasedFeatures()
}
else -> {
// Minor deviation: log and continue
Log.i("Security", "Minor time deviation observed.")
}
}
}
config.addProtection(
ProtectionModuleType.CLOCK_TAMPERING,
"clock-tampering-handler",
300000
)
}
private fun restrictTimeBasedFeatures() {
// Disable time-locked features
// Disable trial/subscription checks
// Disable promotional offers
}
private fun secureDataAndExit() {
// Wipe sensitive data
System.exit(1)
}Monitor.configure { config ->
config.registerCustomAction("clock-tampering-handler") { threat ->
val threatType = threat.getThreatType()
val confidence = threat.getConfidence()
val metadata = threat.getMetadata()
Log.e("Security", "Time tampering detected: $threatType")
Log.d("Metadata", "Confidence: $confidence")
val timeDeviation = metadata["time_deviation_seconds"] as? Long ?: 0
Log.w("Time", "System clock off by $timeDeviation seconds")
when {
timeDeviation > 86400 -> {
// More than 24 hours: likely tampering
Log.e("Security", "Major time deviation detected. Exiting.")
secureDataAndExit()
}
timeDeviation > 3600 -> {
// More than 1 hour: suspicious
Log.w("Security", "Significant time deviation. Restricting features.")
restrictTimeBasedFeatures()
}
else -> {
// Minor deviation: log and continue
Log.i("Security", "Minor time deviation observed.")
}
}
}
config.addProtection(
ProtectionModuleType.CLOCK_TAMPERING,
"clock-tampering-handler",
300000
)
}
private fun restrictTimeBasedFeatures() {
// Disable time-locked features
// Disable trial/subscription checks
// Disable promotional offers
}
private fun secureDataAndExit() {
// Wipe sensitive data
System.exit(1)
}Java - Multi-Source Consensus Handling
Java
Monitor.configure(config -> {
config.registerCustomAction("time-consensus-check", threat -> {
Map<String, Object> metadata = threat.getMetadata();
@SuppressWarnings("unchecked")
Map<String, Long> apiTimes = (Map<String, Long>) metadata.get("time_api_responses");
long systemTime = (long) metadata.get("system_time_ms");
Log.e("Time", "Time sources: " + apiTimes);
Log.d("System", "System clock: " + systemTime);
// Check consensus among sources
long minTime = apiTimes.values().stream().mapToLong(v -> v).min().orElse(0);
long maxTime = apiTimes.values().stream().mapToLong(v -> v).max().orElse(0);
long deviation = Math.abs(systemTime - ((minTime + maxTime) / 2));
if (deviation > 300000) { // More than 5 minutes
Log.e("Security", "System clock severely out of sync");
invalidateTrialPeriod();
System.exit(1);
}
});
config.addProtection(
ProtectionModuleType.CLOCK_TAMPERING,
"time-consensus-check",
300000
);
});
private static void invalidateTrialPeriod() {
// Reset trial counters and timestamps
// Force re-verification with backend
}Monitor.configure(config -> {
config.registerCustomAction("time-consensus-check", threat -> {
Map<String, Object> metadata = threat.getMetadata();
@SuppressWarnings("unchecked")
Map<String, Long> apiTimes = (Map<String, Long>) metadata.get("time_api_responses");
long systemTime = (long) metadata.get("system_time_ms");
Log.e("Time", "Time sources: " + apiTimes);
Log.d("System", "System clock: " + systemTime);
// Check consensus among sources
long minTime = apiTimes.values().stream().mapToLong(v -> v).min().orElse(0);
long maxTime = apiTimes.values().stream().mapToLong(v -> v).max().orElse(0);
long deviation = Math.abs(systemTime - ((minTime + maxTime) / 2));
if (deviation > 300000) { // More than 5 minutes
Log.e("Security", "System clock severely out of sync");
invalidateTrialPeriod();
System.exit(1);
}
});
config.addProtection(
ProtectionModuleType.CLOCK_TAMPERING,
"time-consensus-check",
300000
);
});
private static void invalidateTrialPeriod() {
// Reset trial counters and timestamps
// Force re-verification with backend
}Java - Subscription Protection
Java
Monitor.configure(config -> {
config.registerCustomAction("subscription-guard", threat -> {
Map<String, Object> metadata = threat.getMetadata();
double confidence = threat.getConfidence();
if (confidence > 0.85) {
Log.e("Subscription", "Time manipulation detected. Disabling features.");
// Disable premium features
disableSubscriptionFeatures();
// Force backend verification
syncWithBackend();
// Log security event
reportClockTamperingEvent(threat);
}
});
config.addProtection(
ProtectionModuleType.CLOCK_TAMPERING,
"subscription-guard",
300000
);
});
private static void disableSubscriptionFeatures() {
// Disable all premium functionality
}
private static void syncWithBackend() {
// Contact server for authoritative time
}
private static void reportClockTamperingEvent(Object threat) {
// Send security event to backend
}Monitor.configure(config -> {
config.registerCustomAction("subscription-guard", threat -> {
Map<String, Object> metadata = threat.getMetadata();
double confidence = threat.getConfidence();
if (confidence > 0.85) {
Log.e("Subscription", "Time manipulation detected. Disabling features.");
// Disable premium features
disableSubscriptionFeatures();
// Force backend verification
syncWithBackend();
// Log security event
reportClockTamperingEvent(threat);
}
});
config.addProtection(
ProtectionModuleType.CLOCK_TAMPERING,
"subscription-guard",
300000
);
});
private static void disableSubscriptionFeatures() {
// Disable all premium functionality
}
private static void syncWithBackend() {
// Contact server for authoritative time
}
private static void reportClockTamperingEvent(Object threat) {
// Send security event to backend
}Platform Compatibility
| Platform | Status | Notes |
|---|---|---|
| Android 5.0+ | ✓ Fully Supported | HTTP time API queries |
| Android 10+ | ✓ Optimized | Enhanced network handling |
| Desktop Java | ✓ Fully Supported | HTTP APIs + NTP servers |
| Windows | ✓ Fully Supported | NTP and HTTP time sources |
| macOS | ✓ Fully Supported | NTP and HTTP time sources |
| Linux | ✓ Fully Supported | NTP and HTTP time sources |
Performance Impact
- CPU Impact: < 1% increase during detection cycles
- Memory Overhead: ~100 KB for time cache and history
- Detection Latency: 1000-3000 ms per cycle (network API calls)
- Battery Impact: Moderate (network requests every 5 minutes)
- Network: Minimal data transfer (~500 bytes per check)
Threat Detection Details
Forward Clock Jump Detection:
JSON
{
"threatType": "forward_clock_jump",
"description": "System clock advanced significantly ahead of reference time",
"confidence": 0.95,
"timestamp": "2026-03-02T18:02:17.956Z",
"metadata": {
"detectionMethod": "http_time_api_comparison",
"time_api_responses": {
"worldtimeapi.org": 1708457137000,
"timeapi.io": 1708457138000,
"worldclockapi.com": 1708457137500
},
"system_time_ms": 1708457737000,
"time_deviation_seconds": 600,
"deviation_threshold_seconds": 86400,
"monotonic_clock_jump_detected": true,
"cache_state": "fresh"
}
}{
"threatType": "forward_clock_jump",
"description": "System clock advanced significantly ahead of reference time",
"confidence": 0.95,
"timestamp": "2026-03-02T18:02:17.956Z",
"metadata": {
"detectionMethod": "http_time_api_comparison",
"time_api_responses": {
"worldtimeapi.org": 1708457137000,
"timeapi.io": 1708457138000,
"worldclockapi.com": 1708457137500
},
"system_time_ms": 1708457737000,
"time_deviation_seconds": 600,
"deviation_threshold_seconds": 86400,
"monotonic_clock_jump_detected": true,
"cache_state": "fresh"
}
}Backward Clock Jump Detection:
JSON
{
"threatType": "backward_clock_jump",
"description": "System clock reversed to earlier time",
"confidence": 0.92,
"timestamp": "2026-03-02T18:02:17.956Z",
"metadata": {
"detectionMethod": "monotonic_clock_analysis",
"previous_system_time_ms": 1708457937000,
"current_system_time_ms": 1708457137000,
"time_deviation_seconds": -800,
"monotonic_clock_previous": 1234567890000000,
"monotonic_clock_current": 1234567890050000,
"cache_state": "using_cached_reference",
"cached_reference_confidence": 0.85
}
}{
"threatType": "backward_clock_jump",
"description": "System clock reversed to earlier time",
"confidence": 0.92,
"timestamp": "2026-03-02T18:02:17.956Z",
"metadata": {
"detectionMethod": "monotonic_clock_analysis",
"previous_system_time_ms": 1708457937000,
"current_system_time_ms": 1708457137000,
"time_deviation_seconds": -800,
"monotonic_clock_previous": 1234567890000000,
"monotonic_clock_current": 1234567890050000,
"cache_state": "using_cached_reference",
"cached_reference_confidence": 0.85
}
}