Network Tampering Detection

Protection Module: NetworkTampering

Detect man-in-the-middle attacks, proxy configurations, and network interception attempts.

Available for: Desktop full, Android partial (proxy, VPN, env vars)

How It Works

The Network Tampering Detection module identifies network interception attempts by monitoring system proxy settings, detecting MITM tool processes, analyzing environment variables, and detecting active VPN connections.

Detection Techniques

System Proxy Detection:

HTTP proxy: http.proxyHost/Port (0.7 confidence)
HTTPS proxy: https.proxyHost/Port (0.8 confidence)
SOCKS proxy: socksProxyHost/Port (0.6 confidence)

Environment Variable Proxies:

http_proxy, HTTP_PROXY, https_proxy, HTTPS_PROXY, all_proxy (0.6 confidence)

MITM Tool Process Detection (Desktop):

Fiddler, Charles, Burp Suite, ZAP, mitmproxy (0.95 confidence)

Network Analyzer Detection:

Wireshark, tshark, tcpdump (0.7 confidence)

Proxy Tools:

Proxifier, ProxyCap (0.5 confidence)

Android VPN Detection:

VPN network interfaces: tun, ppp, pptp, l2tp, ipsec, vpn (0.8 confidence)
NetworkCapabilities.TRANSPORT_VPN API detection (0.8 confidence)

Default detection interval: 3 minutes, process cache: 2 minutes

Configuration

JSON Configuration

JSON

{
  "protections": [
    {
      "type": "NetworkTampering",
      "action": "block",
      "intervalMs": 180000
    }
  ]
}

{
  "protections": [
    {
      "type": "NetworkTampering",
      "action": "block",
      "intervalMs": 180000
    }
  ]
}

Kotlin Configuration

Kotlin

import com.bytehide.monitor.Monitor
import com.bytehide.monitor.core.action.ActionType
import com.bytehide.monitor.core.protection.ProtectionModuleType

Monitor.configure { config ->
    config.addProtection(
        ProtectionModuleType.NETWORK_TAMPERING,
        ActionType.BLOCK,
        180000
    )
}

import com.bytehide.monitor.Monitor
import com.bytehide.monitor.core.action.ActionType
import com.bytehide.monitor.core.protection.ProtectionModuleType

Monitor.configure { config ->
    config.addProtection(
        ProtectionModuleType.NETWORK_TAMPERING,
        ActionType.BLOCK,
        180000
    )
}

Java Configuration

Java

import com.bytehide.monitor.Monitor;
import com.bytehide.monitor.core.action.ActionType;
import com.bytehide.monitor.core.protection.ProtectionModuleType;

Monitor.configure(config -> {
    config.addProtection(
        ProtectionModuleType.NETWORK_TAMPERING,
        ActionType.BLOCK,
        180000
    );
});

import com.bytehide.monitor.Monitor;
import com.bytehide.monitor.core.action.ActionType;
import com.bytehide.monitor.core.protection.ProtectionModuleType;

Monitor.configure(config -> {
    config.addProtection(
        ProtectionModuleType.NETWORK_TAMPERING,
        ActionType.BLOCK,
        180000
    );
});

Custom Action Configuration

Kotlin

Monitor.configure { config ->
    config.registerCustomAction("my-network-action") { threat ->
        val threatType = threat.getThreatType()      // String
        val description = threat.getDescription()    // String
        val confidence = threat.getConfidence()      // Double (0.0-1.0)
        val metadata = threat.getMetadata()          // Map<String, Object>

        Log.e("Network", "Detected: $threatType (Confidence: $confidence)")
    }

    config.addProtection(
        ProtectionModuleType.NETWORK_TAMPERING,
        "my-network-action",
        180000
    )
}

Monitor.configure { config ->
    config.registerCustomAction("my-network-action") { threat ->
        val threatType = threat.getThreatType()      // String
        val description = threat.getDescription()    // String
        val confidence = threat.getConfidence()      // Double (0.0-1.0)
        val metadata = threat.getMetadata()          // Map<String, Object>

        Log.e("Network", "Detected: $threatType (Confidence: $confidence)")
    }

    config.addProtection(
        ProtectionModuleType.NETWORK_TAMPERING,
        "my-network-action",
        180000
    )
}

Available Actions

Action	Behavior	Recommended For
Close	Terminate application immediately	Production apps with critical IP
Log	Record incident and continue	Development, analytics
Erase	Securely delete data then terminate	Financial, healthcare apps
Custom	Execute custom handler	Enterprise integrations
None	Detect only, no action	Testing configurations
Block	Block network operations	Cloud protection modules

See Actions for detailed action documentation.

When to Use

Enable Network Tampering Detection when:

Protecting financial transactions and banking operations
Securing API communications with sensitive data
Preventing credential interception attacks
Monitoring for network-based fraud attempts
Detecting unauthorized network monitoring
Preventing man-in-the-middle attacks

Code Examples

Kotlin - Basic Integration

Kotlin

import com.bytehide.monitor.Monitor
import com.bytehide.monitor.core.action.ActionType
import com.bytehide.monitor.core.protection.ProtectionModuleType

class SecurityManager {
    fun initializeNetworkProtection() {
        Monitor.configure { config ->
            config.addProtection(
                ProtectionModuleType.NETWORK_TAMPERING,
                ActionType.BLOCK,
                180000
            )
        }
    }
}

import com.bytehide.monitor.Monitor
import com.bytehide.monitor.core.action.ActionType
import com.bytehide.monitor.core.protection.ProtectionModuleType

class SecurityManager {
    fun initializeNetworkProtection() {
        Monitor.configure { config ->
            config.addProtection(
                ProtectionModuleType.NETWORK_TAMPERING,
                ActionType.BLOCK,
                180000
            )
        }
    }
}

Kotlin - Custom Handler with Detection Types

Kotlin

Monitor.configure { config ->
    config.registerCustomAction("handle-network-tampering") { threat ->
        val threatType = threat.getThreatType()
        val confidence = threat.getConfidence()
        val metadata = threat.getMetadata()

        when (threatType) {
            "system_proxy_detected" -> {
                val proxyHost = metadata["proxyHost"] as? String
                val proxyPort = metadata["proxyPort"] as? String
                Log.e("Security", "System proxy detected: $proxyHost:$proxyPort")
            }
            "environment_proxy_detected" -> {
                val proxyVar = metadata["proxyVariable"] as? String
                Log.e("Security", "Environment proxy detected: $proxyVar")
            }
            "mitm_tool_detected" -> {
                val toolName = metadata["toolName"] as? String
                Log.e("Security", "MITM tool process detected: $toolName")
            }
            "network_analyzer_detected" -> {
                val analyzerName = metadata["analyzerName"] as? String
                Log.w("Security", "Network analyzer detected: $analyzerName")
            }
            "vpn_detected" -> {
                val vpnInterface = metadata["vpnInterface"] as? String
                Log.w("Security", "VPN connection detected: $vpnInterface (Confidence: $confidence)")
            }
        }
    }

    config.addProtection(
        ProtectionModuleType.NETWORK_TAMPERING,
        "handle-network-tampering",
        180000
    )
}

Monitor.configure { config ->
    config.registerCustomAction("handle-network-tampering") { threat ->
        val threatType = threat.getThreatType()
        val confidence = threat.getConfidence()
        val metadata = threat.getMetadata()

        when (threatType) {
            "system_proxy_detected" -> {
                val proxyHost = metadata["proxyHost"] as? String
                val proxyPort = metadata["proxyPort"] as? String
                Log.e("Security", "System proxy detected: $proxyHost:$proxyPort")
            }
            "environment_proxy_detected" -> {
                val proxyVar = metadata["proxyVariable"] as? String
                Log.e("Security", "Environment proxy detected: $proxyVar")
            }
            "mitm_tool_detected" -> {
                val toolName = metadata["toolName"] as? String
                Log.e("Security", "MITM tool process detected: $toolName")
            }
            "network_analyzer_detected" -> {
                val analyzerName = metadata["analyzerName"] as? String
                Log.w("Security", "Network analyzer detected: $analyzerName")
            }
            "vpn_detected" -> {
                val vpnInterface = metadata["vpnInterface"] as? String
                Log.w("Security", "VPN connection detected: $vpnInterface (Confidence: $confidence)")
            }
        }
    }

    config.addProtection(
        ProtectionModuleType.NETWORK_TAMPERING,
        "handle-network-tampering",
        180000
    )
}

Java - Basic Integration

Java

import com.bytehide.monitor.Monitor;
import com.bytehide.monitor.core.action.ActionType;
import com.bytehide.monitor.core.protection.ProtectionModuleType;

public class SecurityManager {
    public void initializeNetworkProtection() {
        Monitor.configure(config -> {
            config.addProtection(
                ProtectionModuleType.NETWORK_TAMPERING,
                ActionType.BLOCK,
                180000
            );
        });
    }
}

import com.bytehide.monitor.Monitor;
import com.bytehide.monitor.core.action.ActionType;
import com.bytehide.monitor.core.protection.ProtectionModuleType;

public class SecurityManager {
    public void initializeNetworkProtection() {
        Monitor.configure(config -> {
            config.addProtection(
                ProtectionModuleType.NETWORK_TAMPERING,
                ActionType.BLOCK,
                180000
            );
        });
    }
}

Platform Compatibility

Platform	Status	Notes
Android 5.0+	✓ Fully Supported	Proxy and environment variable monitoring
Android 7+	✓ Optimized	Network capabilities API
Android 10+	✓ Enhanced	Granular VPN detection
Desktop Java	✓ Fully Supported	System proxy and process detection
iOS 12+	◐ Partial	VPN detection only

Performance Impact

CPU Impact: 1-2% increase during detection cycles
Memory Overhead: ~300 KB for proxy configuration cache
Detection Latency: 100-200 ms per cycle
Battery Impact: Minimal (3-minute intervals)

Threat Detection Details

JSON

{
  "detection": {
    "threatType": "system_proxy_detected",
    "timestamp": "2026-03-03T17:15:22.654Z",
    "description": "System proxy configuration detected",
    "confidence": 0.8,
    "metadata": {
      "detectionMethod": "system_proxy_monitoring",
      "proxyHost": "192.168.1.100",
      "proxyPort": 8080,
      "proxyProtocol": "http"
    }
  }
}

{
  "detection": {
    "threatType": "system_proxy_detected",
    "timestamp": "2026-03-03T17:15:22.654Z",
    "description": "System proxy configuration detected",
    "confidence": 0.8,
    "metadata": {
      "detectionMethod": "system_proxy_monitoring",
      "proxyHost": "192.168.1.100",
      "proxyPort": 8080,
      "proxyProtocol": "http"
    }
  }
}

JSON

{
  "detection": {
    "threatType": "mitm_tool_detected",
    "timestamp": "2026-03-03T17:16:45.321Z",
    "description": "MITM tool process detected running on system",
    "confidence": 0.95,
    "metadata": {
      "detectionMethod": "process_detection",
      "toolName": "Burp Suite",
      "processId": 3456,
      "processPath": "/opt/burp/burp"
    }
  }
}

{
  "detection": {
    "threatType": "mitm_tool_detected",
    "timestamp": "2026-03-03T17:16:45.321Z",
    "description": "MITM tool process detected running on system",
    "confidence": 0.95,
    "metadata": {
      "detectionMethod": "process_detection",
      "toolName": "Burp Suite",
      "processId": 3456,
      "processPath": "/opt/burp/burp"
    }
  }
}

JSON

{
  "detection": {
    "threatType": "vpn_detected",
    "timestamp": "2026-03-03T17:17:58.789Z",
    "description": "Active VPN connection detected on device",
    "confidence": 0.8,
    "metadata": {
      "detectionMethod": "network_interface_analysis",
      "vpnInterface": "tun0",
      "vpnType": "generic_vpn",
      "transportMethod": "TRANSPORT_VPN"
    }
  }
}

{
  "detection": {
    "threatType": "vpn_detected",
    "timestamp": "2026-03-03T17:17:58.789Z",
    "description": "Active VPN connection detected on device",
    "confidence": 0.8,
    "metadata": {
      "detectionMethod": "network_interface_analysis",
      "vpnInterface": "tun0",
      "vpnType": "generic_vpn",
      "transportMethod": "TRANSPORT_VPN"
    }
  }
}

JSON

{
  "detection": {
    "threatType": "environment_proxy_detected",
    "timestamp": "2026-03-03T17:19:10.456Z",
    "description": "Environment variable proxy configuration detected",
    "confidence": 0.6,
    "metadata": {
      "detectionMethod": "environment_variable_monitoring",
      "proxyVariable": "HTTP_PROXY",
      "proxyValue": "http://proxy.internal:3128"
    }
  }
}

{
  "detection": {
    "threatType": "environment_proxy_detected",
    "timestamp": "2026-03-03T17:19:10.456Z",
    "description": "Environment variable proxy configuration detected",
    "confidence": 0.6,
    "metadata": {
      "detectionMethod": "environment_variable_monitoring",
      "proxyVariable": "HTTP_PROXY",
      "proxyValue": "http://proxy.internal:3128"
    }
  }
}

Network Tampering Detection

How It Works

Detection Techniques

Configuration

JSON Configuration

Kotlin Configuration

Java Configuration

Custom Action Configuration

Available Actions

When to Use

Code Examples

Kotlin - Basic Integration

Kotlin - Custom Handler with Detection Types

Java - Basic Integration

Platform Compatibility

Performance Impact

Threat Detection Details

Debugger Detection

Process Injection

Tampering Detection

Memory Dump Detection

Next Steps

Configure Actions

Custom Actions

Configuration API

How It Works

Detection Techniques

Configuration

JSON Configuration

Kotlin Configuration

Java Configuration

Custom Action Configuration

Available Actions

When to Use

Code Examples

Kotlin - Basic Integration

Kotlin - Custom Handler with Detection Types

Java - Basic Integration

Platform Compatibility

Performance Impact

Threat Detection Details

Related Protections

Next Steps