/

Cloud Metadata Detection

Protection Module: CloudMetadata

Detects when the application is running on cloud provider infrastructure by probing Instance Metadata Services (IMDS) endpoints and analyzing cloud-specific environment indicators.

Available for: All platforms (uses HTTP metadata endpoints)

How It Works

The Cloud Metadata Detection module identifies cloud environments by querying metadata service endpoints that are only available when running on cloud provider infrastructure. This prevents applications from being deployed in cloud environments for large-scale unauthorized testing, credential harvesting, or distributed abuse.

Detection Techniques

  • AWS EC2 Detection: Queries http://169.254.169.254/latest/meta-data/ for instance-id, instance-type, placement/availability-zone (confidence: 0.95)
  • Azure VM Detection: Queries http://169.254.169.254/metadata/instance?api-version=2021-02-01 with Metadata header for vmId, vmSize, location, zone (confidence: 0.95)
  • Google Cloud Detection: Queries http://metadata.google.internal/computeMetadata/v1/instance/ with Metadata-Flavor header for id, machine-type, zone (confidence: 0.95)
  • DigitalOcean Detection: Queries http://169.254.169.254/metadata/v1/ for id, region (confidence: 0.95)
  • HTTP Timeout: 2 seconds per provider endpoint
  • Caching: Cached permanently after successful detection

Detection confidence: 0.95 | Default interval: 10 minutes (cached permanently) | HTTP timeout: 2 seconds per provider

Configuration

JSON Configuration

JSON
{
  "protections": [
    {
      "type": "CloudMetadata",
      "action": "log",
      "intervalMs": 600000
    }
  ]
}

Kotlin Code-Based

Kotlin
import com.bytehide.monitor.Monitor
import com.bytehide.monitor.core.action.ActionType
import com.bytehide.monitor.core.protection.ProtectionModuleType

Monitor.configure { config ->
    config.addProtection(
        ProtectionModuleType.CLOUD_METADATA,
        ActionType.LOG,
        600000
    )
}

Java Code-Based

Java
import com.bytehide.monitor.Monitor;
import com.bytehide.monitor.core.action.ActionType;
import com.bytehide.monitor.core.protection.ProtectionModuleType;

Monitor.configure(config -> {
    config.addProtection(
        ProtectionModuleType.CLOUD_METADATA,
        ActionType.LOG,
        600000
    );
});

Available Actions

ActionBehaviorRecommended For
closeTerminate application immediatelyProduction apps with critical IP
logRecord incident and continueDevelopment, analytics
eraseSecurely delete data then terminateFinancial, healthcare apps
customExecute custom handlerEnterprise integrations
noneDetect only, no actionTesting configurations
blockBlock the operationCloud protection modules

See Actions for detailed action documentation.

When to Use

Enable Cloud Metadata Detection when:

  • Preventing large-scale cloud-based abuse campaigns
  • Ensuring applications only run on genuine user devices
  • Protecting against distributed attacks and credential farming
  • Preventing unauthorized cloud deployments
  • Enforcing device-locked licensing and feature access
  • Monitoring infrastructure-level attacks

Code Examples

Kotlin - Basic Integration

Kotlin
import com.bytehide.monitor.Monitor
import com.bytehide.monitor.core.action.ActionType
import com.bytehide.monitor.core.protection.ProtectionModuleType

class MainActivity : AppCompatActivity() {
    override fun onCreate(savedInstanceState: Bundle?) {
        super.onCreate(savedInstanceState)

        Monitor.configure { config ->
            config.addProtection(
                ProtectionModuleType.CLOUD_METADATA,
                ActionType.LOG,
                600000
            )
        }

        setContentView(R.layout.activity_main)
    }
}

Kotlin - Custom Action with Provider Detection

Kotlin
import com.bytehide.monitor.Monitor
import com.bytehide.monitor.core.protection.ProtectionModuleType

Monitor.configure { config ->
    config.registerCustomAction("handle-cloud-metadata") { threat ->
        val threatType = threat.getThreatType()
        val description = threat.getDescription()
        val confidence = threat.getConfidence()
        val metadata = threat.getMetadata()

        Log.e("Security", "Cloud environment detected: $threatType (confidence: $confidence)")
        Log.e("Security", "Description: $description")

        when (threatType) {
            "AWS" -> {
                Log.e("Security", "AWS EC2 instance detected")
                val instanceId = metadata["instance-id"]
                val region = metadata["placement/region"]
                Log.e("Security", "Instance: $instanceId in region: $region")
                disableSensitiveFeatures()
            }
            "Azure" -> {
                Log.e("Security", "Azure VM detected")
                val vmId = metadata["vmId"]
                val location = metadata["location"]
                Log.e("Security", "VM: $vmId in location: $location")
                disableSensitiveFeatures()
            }
            "GCP" -> {
                Log.e("Security", "Google Cloud instance detected")
                val projectId = metadata["project/project-id"]
                val zone = metadata["instance/zone"]
                Log.e("Security", "Project: $projectId in zone: $zone")
                disableSensitiveFeatures()
            }
        }
    }

    config.addProtection(
        ProtectionModuleType.CLOUD_METADATA,
        "handle-cloud-metadata",
        600000
    )
}

private fun disableSensitiveFeatures() {
    // Disable payment processing, premium features, etc.
}

Java - Close Action (Production Security)

Java
import com.bytehide.monitor.Monitor;
import com.bytehide.monitor.core.action.ActionType;
import com.bytehide.monitor.core.protection.ProtectionModuleType;

Monitor.configure(config -> {
    config.addProtection(
        ProtectionModuleType.CLOUD_METADATA,
        ActionType.CLOSE,
        600000
    );
});

Java - Erase Action (Financial/Sensitive Apps)

Java
import com.bytehide.monitor.Monitor;
import com.bytehide.monitor.core.action.ActionType;
import com.bytehide.monitor.core.protection.ProtectionModuleType;

Monitor.configure(config -> {
    config.addProtection(
        ProtectionModuleType.CLOUD_METADATA,
        ActionType.ERASE,
        600000
    );
});

Platform Compatibility

PlatformStatusNotes
Windows✓ Fully SupportedHTTP IMDS endpoint access
Linux✓ Fully SupportedHTTP IMDS endpoint access
macOS✓ Fully SupportedHTTP IMDS endpoint access
Mobile (Android)✓ SupportedHTTP IMDS endpoint access (limited cloud use)
AWS EC2✓ DetectedAll instance types (confidence: 0.95)
Azure VMs✓ DetectedBoth classic and ARM VMs (confidence: 0.95)
Google Cloud✓ DetectedAll machine types (confidence: 0.95)
DigitalOcean✓ DetectedDroplet instances (confidence: 0.95)
Kubernetes Pods✓ DetectedK8s service account injection

Performance Impact

  • CPU Impact: < 1% during detection cycles
  • Memory Overhead: ~250 KB for IMDS cache
  • Detection Latency: 200-500 ms per cycle (includes network probe with 2-second timeout per provider)
  • Battery Impact: Minimal (infrequent checks, cached permanently)
  • Network Impact: < 1 KB per detection cycle (only on initial detection)

Threat Detection Details

JSON
{
  "detection": {
    "threatType": "AWS",
    "timestamp": "2026-03-03T14:30:45.309Z",
    "description": "AWS EC2 instance metadata service detected - application running on AWS infrastructure",
    "confidence": 0.95,
    "metadata": {
      "cloudProvider": "AWS",
      "environmentType": "EC2",
      "instanceId": "i-0a1b2c3d4e5f6g7h8",
      "instanceType": "t3.micro",
      "region": "us-east-1",
      "availabilityZone": "us-east-1a",
      "accountId": "123456789012",
      "amiId": "ami-0a1b2c3d4e5f6g7h8",
      "imdsVersion": "2",
      "detectionMethod": "imds_metadata_service"
    }
  }
}

Azure VM detection example:

JSON
{
  "detection": {
    "threatType": "Azure",
    "timestamp": "2026-03-03T14:30:45.309Z",
    "description": "Azure VM metadata service detected - application running on Azure infrastructure",
    "confidence": 0.95,
    "metadata": {
      "cloudProvider": "Azure",
      "environmentType": "VM",
      "vmId": "8f3348df-513e-46eb-9560-90a4626c68c4",
      "vmSize": "Standard_B1s",
      "location": "eastus",
      "zone": "1",
      "subscriptionId": "12345678-1234-1234-1234-123456789012",
      "resourceGroupName": "my-resource-group",
      "imdsVersion": "2021-02-01",
      "detectionMethod": "azure_imds_endpoint"
    }
  }
}

Google Cloud detection example:

JSON
{
  "detection": {
    "threatType": "GCP",
    "timestamp": "2026-03-03T14:30:45.309Z",
    "description": "Google Cloud instance metadata detected - application running on GCP infrastructure",
    "confidence": 0.95,
    "metadata": {
      "cloudProvider": "GCP",
      "environmentType": "ComputeEngine",
      "instanceId": "1234567890123456789",
      "machineType": "n1-standard-1",
      "zone": "us-central1-a",
      "projectId": "my-project-12345",
      "projectNumber": "1234567890",
      "serviceAccountEmail": "default@my-project-12345.iam.gserviceaccount.com",
      "detectionMethod": "gcp_metadata_server"
    }
  }
}

Container Detection

Virtual Machine Detection

Emulator Detection

License Binding Detection

Next Steps

Protection Actions Overview

Implement Custom Actions

Configuration API Reference

Previous
Remote Desktop
Next
Anomaly Detection