/

Container Detection

Protection Module: ContainerDetection

Detects when the application is running inside containerized environments such as Docker, Kubernetes, LXC, Podman, or systemd-nspawn.

Available for: Linux (full), Windows (partial), macOS (limited), Mobile (N/A)

How It Works

The Container Detection module identifies when the application is running inside containerized environments by analyzing system indicators specific to different container runtimes and environment metadata. These environments are commonly used for automated testing, malware analysis, and unauthorized code execution.

Detection Techniques

  • Docker Markers: Checks for /.dockerenv file and docker-specific cgroup paths
  • Cgroup Analysis: Identifies container control group signatures indicating Docker, LXC, Podman, or systemd-nspawn
  • Kubernetes Detection: Identifies Kubernetes service account paths and environment variables (KUBERNETES_SERVICE_HOST, KUBERNETES_SERVICE_PORT, KUBERNETES_PORT)
  • LXC/LXD Indicators: Detects LXC container markers in /proc/1/cgroup and /run/systemd/container file
  • Podman Detection: Identifies Podman containers via /proc/1/cgroup and /run/.containerenv file
  • systemd-nspawn Detection: Detects systemd-nspawn environments via cgroup and container markers
  • Environment Variable Analysis: Monitors for container-specific environment variables
  • Hostname Detection: Identifies container-style hostnames and UUID-based naming patterns

Detection confidence: 0.9 | Default interval: 10 minutes (cached permanently)

Configuration

JSON Configuration

JSON
{
  "protections": [
    {
      "type": "ContainerDetection",
      "action": "log",
      "intervalMs": 600000
    }
  ]
}

Kotlin Code-Based

Kotlin
import com.bytehide.monitor.Monitor
import com.bytehide.monitor.core.action.ActionType
import com.bytehide.monitor.core.protection.ProtectionModuleType

Monitor.configure { config ->
    config.addProtection(
        ProtectionModuleType.CONTAINER_DETECTION,
        ActionType.LOG,
        600000
    )
}

Java Code-Based

Java
import com.bytehide.monitor.Monitor;
import com.bytehide.monitor.core.action.ActionType;
import com.bytehide.monitor.core.protection.ProtectionModuleType;

Monitor.configure(config -> {
    config.addProtection(
        ProtectionModuleType.CONTAINER_DETECTION,
        ActionType.LOG,
        600000
    );
});

Available Actions

ActionBehaviorRecommended For
closeTerminate application immediatelyProduction apps with critical IP
logRecord incident and continueDevelopment, analytics
eraseSecurely delete data then terminateFinancial, healthcare apps
customExecute custom handlerEnterprise integrations
noneDetect only, no actionTesting configurations

See Actions for detailed action documentation.

When to Use

Enable Container Detection when:

  • Protecting against automated abuse and bot farming
  • Preventing large-scale security research and reverse engineering
  • Detecting unauthorized execution environments
  • Monitoring for infrastructure-level attacks
  • Preventing containerized malware execution
  • Enforcing real device usage policies

Code Examples

Kotlin - Basic Integration

Kotlin
import com.bytehide.monitor.Monitor
import com.bytehide.monitor.core.action.ActionType
import com.bytehide.monitor.core.protection.ProtectionModuleType

class MainActivity : AppCompatActivity() {
    override fun onCreate(savedInstanceState: Bundle?) {
        super.onCreate(savedInstanceState)

        Monitor.configure { config ->
            config.addProtection(
                ProtectionModuleType.CONTAINER_DETECTION,
                ActionType.LOG,
                600000
            )
        }

        setContentView(R.layout.activity_main)
    }
}

Kotlin - Custom Action Handler

Kotlin
import com.bytehide.monitor.Monitor
import com.bytehide.monitor.core.protection.ProtectionModuleType

Monitor.configure { config ->
    config.registerCustomAction("handle-container") { threat ->
        val threatType = threat.getThreatType()
        val description = threat.getDescription()
        val confidence = threat.getConfidence()
        val metadata = threat.getMetadata()

        Log.e("Security", "Container detected: $threatType (confidence: $confidence)")
        Log.e("Security", "Description: $description")
        Log.e("Security", "Metadata: $metadata")

        // Custom response: disable sensitive features, alert admin, etc.
        disableSensitiveFeatures()
    }

    config.addProtection(
        ProtectionModuleType.CONTAINER_DETECTION,
        "handle-container",
        600000
    )
}

private fun disableSensitiveFeatures() {
    // Disable payment processing, premium features, etc.
}

Java - Basic Integration

Java
import com.bytehide.monitor.Monitor;
import com.bytehide.monitor.core.action.ActionType;
import com.bytehide.monitor.core.protection.ProtectionModuleType;

public class MainActivity extends AppCompatActivity {
    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);

        Monitor.configure(config -> {
            config.addProtection(
                ProtectionModuleType.CONTAINER_DETECTION,
                ActionType.LOG,
                600000
            );
        });

        setContentView(R.layout.activity_main);
    }
}

Java - Close Action (Production Security)

Java
import com.bytehide.monitor.Monitor;
import com.bytehide.monitor.core.action.ActionType;
import com.bytehide.monitor.core.protection.ProtectionModuleType;

Monitor.configure(config -> {
    config.addProtection(
        ProtectionModuleType.CONTAINER_DETECTION,
        ActionType.CLOSE,
        600000
    );
});

Platform Compatibility

PlatformStatusNotes
Linux✓ Fully Supported/proc analysis, cgroup detection, marker files
Windows✓ PartialEnvironment variables, process detection
macOS✓ LimitedProcess-based detection
Mobile (Android)✗ N/ANot applicable on mobile platforms
Docker Engine✓ DetectedAll Docker versions
Kubernetes✓ DetectedService account path detection
LXC/LXD✓ DetectedCgroup and marker file detection
Podman✓ DetectedCgroup and .containerenv detection
systemd-nspawn✓ DetectedCgroup and /run/systemd/container detection

Performance Impact

  • CPU Impact: < 1% during detection cycles
  • Memory Overhead: ~300 KB for environment data caching
  • Detection Latency: 100-200 ms per cycle
  • Battery Impact: Minimal (low-frequency checks, cached permanently)
  • Network Impact: None (purely local system analysis)

Threat Detection Details

JSON
{
  "detection": {
    "threatType": "Docker",
    "timestamp": "2026-03-03T14:30:45.309Z",
    "description": "Docker container environment detected via /.dockerenv marker and cgroup analysis",
    "confidence": 0.9,
    "metadata": {
      "containerType": "docker",
      "dockerenvExists": true,
      "cgroupPath": "/docker/a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6",
      "containerId": "a1b2c3d4e5f6",
      "hostname": "a1b2c3d4e5f6",
      "detectionMethod": "marker_and_cgroup_analysis",
      "indicators": ["/.dockerenv", "docker", "/docker/", "DOCKER_HOST"]
    }
  }
}

Another detection example (Kubernetes):

JSON
{
  "detection": {
    "threatType": "Kubernetes",
    "timestamp": "2026-03-03T14:30:45.309Z",
    "description": "Kubernetes environment detected via service account path and environment variables",
    "confidence": 0.9,
    "metadata": {
      "containerType": "kubernetes",
      "serviceAccountPath": "/var/run/secrets/kubernetes.io/serviceaccount",
      "kubernetesPod": true,
      "namespace": "default",
      "podName": "app-deployment-5d4c8b7a9",
      "clusterDomain": "cluster.local",
      "detectionMethod": "service_account_path_and_env_vars",
      "indicators": ["KUBERNETES_SERVICE_HOST", "KUBERNETES_SERVICE_PORT", "/var/run/secrets/kubernetes.io"]
    }
  }
}

Virtual Machine Detection

Emulator Detection

Jailbreak Detection

Anomaly Detection

Next Steps

Protection Actions Overview

Implement Custom Actions

Configuration API Reference

Previous
License Binding
Next
Remote Desktop