Tampering Detection
Protection Module: TamperingDetection
Verify application integrity through APK signature validation and cryptographic license binding verification.
Available for: Android only (requires Context). NOT available on Desktop/Server.
How It Works
The Tampering Detection module verifies the integrity of the application package through cryptographic validation. It extracts the expected APK signature hash from your ByteHide JWT license, calculates the current APK signature hash at runtime via reflection, and compares the SHA-256 hashes to detect modifications.
Detection Techniques
APK Signature Verification:
- Extracts expected signature hash from ByteHide JWT license token
- Calculates current APK signature hash via reflection
- Uses Android PackageManager.getPackageInfo() with GET_SIGNATURES flag
- Compares SHA-256 of certificate public key
- Signature hash is cryptographically signed in RS256 JWT
Detection Confidence:
- Signature mismatch: 1.0 (certain)
- Signature extraction failure: 0.8
- Verification failure: 0.7
License Binding:
- Signature hash embedded in RS256 JWT token
- Cryptographic validation ensures authenticity
Default detection interval: 5 minutes, cached permanently
Configuration
JSON Configuration
JSON
{
"protections": [
{
"type": "TamperingDetection",
"action": "close",
"intervalMs": 300000
}
]
}{
"protections": [
{
"type": "TamperingDetection",
"action": "close",
"intervalMs": 300000
}
]
}Kotlin Configuration
Kotlin
import com.bytehide.monitor.Monitor
import com.bytehide.monitor.core.action.ActionType
import com.bytehide.monitor.core.protection.ProtectionModuleType
Monitor.configure { config ->
config.addProtection(
ProtectionModuleType.TAMPERING_DETECTION,
ActionType.CLOSE,
300000
)
}import com.bytehide.monitor.Monitor
import com.bytehide.monitor.core.action.ActionType
import com.bytehide.monitor.core.protection.ProtectionModuleType
Monitor.configure { config ->
config.addProtection(
ProtectionModuleType.TAMPERING_DETECTION,
ActionType.CLOSE,
300000
)
}Java Configuration
Java
import com.bytehide.monitor.Monitor;
import com.bytehide.monitor.core.action.ActionType;
import com.bytehide.monitor.core.protection.ProtectionModuleType;
Monitor.configure(config -> {
config.addProtection(
ProtectionModuleType.TAMPERING_DETECTION,
ActionType.CLOSE,
300000
);
});import com.bytehide.monitor.Monitor;
import com.bytehide.monitor.core.action.ActionType;
import com.bytehide.monitor.core.protection.ProtectionModuleType;
Monitor.configure(config -> {
config.addProtection(
ProtectionModuleType.TAMPERING_DETECTION,
ActionType.CLOSE,
300000
);
});Custom Action Configuration
Kotlin
Monitor.configure { config ->
config.registerCustomAction("my-tampering-action") { threat ->
val threatType = threat.getThreatType() // String
val description = threat.getDescription() // String
val confidence = threat.getConfidence() // Double (0.0-1.0)
val metadata = threat.getMetadata() // Map<String, Object>
Log.e("Tampering", "Detected: $threatType (Confidence: $confidence)")
}
config.addProtection(
ProtectionModuleType.TAMPERING_DETECTION,
"my-tampering-action",
300000
)
}Monitor.configure { config ->
config.registerCustomAction("my-tampering-action") { threat ->
val threatType = threat.getThreatType() // String
val description = threat.getDescription() // String
val confidence = threat.getConfidence() // Double (0.0-1.0)
val metadata = threat.getMetadata() // Map<String, Object>
Log.e("Tampering", "Detected: $threatType (Confidence: $confidence)")
}
config.addProtection(
ProtectionModuleType.TAMPERING_DETECTION,
"my-tampering-action",
300000
)
}Available Actions
| Action | Behavior | Recommended For |
|---|---|---|
| Close | Terminate application immediately | Production apps with critical IP |
| Log | Record incident and continue | Development, analytics |
| Erase | Securely delete data then terminate | Financial, healthcare apps |
| Custom | Execute custom handler | Enterprise integrations |
| None | Detect only, no action | Testing configurations |
| Block | Block the operation | Not applicable for this module |
See Actions for detailed action documentation.
When to Use
Enable Tampering Detection when:
- Protecting against code injection and patching attacks
- Preventing unauthorized modifications to APK or native libraries
- Detecting modified or cracked app installations
- Ensuring code integrity for compliance requirements
- Protecting intellectual property from reverse engineering
- Preventing exploitation via code modification
Code Examples
Kotlin - Basic Integration
Kotlin
import com.bytehide.monitor.Monitor
import com.bytehide.monitor.core.action.ActionType
import com.bytehide.monitor.core.protection.ProtectionModuleType
class SecurityManager {
fun initializeTamperingProtection() {
Monitor.configure { config ->
config.addProtection(
ProtectionModuleType.TAMPERING_DETECTION,
ActionType.CLOSE,
300000
)
}
}
}import com.bytehide.monitor.Monitor
import com.bytehide.monitor.core.action.ActionType
import com.bytehide.monitor.core.protection.ProtectionModuleType
class SecurityManager {
fun initializeTamperingProtection() {
Monitor.configure { config ->
config.addProtection(
ProtectionModuleType.TAMPERING_DETECTION,
ActionType.CLOSE,
300000
)
}
}
}Kotlin - Custom Response Handler
Kotlin
Monitor.configure { config ->
config.registerCustomAction("handle-tampering") { threat ->
val threatType = threat.getThreatType()
val confidence = threat.getConfidence()
val metadata = threat.getMetadata()
when (threatType) {
"signature_mismatch" -> {
Log.e("Security", "APK signature mismatch detected!")
val expectedHash = metadata["expectedSignatureHash"] as? String
val actualHash = metadata["actualSignatureHash"] as? String
Log.d("Hashes", "Expected: $expectedHash, Actual: $actualHash")
}
"signature_extraction_failure" -> {
Log.w("Security", "Failed to extract signature: $confidence confidence")
}
"verification_failure" -> {
Log.w("Security", "Verification failed: $confidence confidence")
}
}
}
config.addProtection(
ProtectionModuleType.TAMPERING_DETECTION,
"handle-tampering",
300000
)
}Monitor.configure { config ->
config.registerCustomAction("handle-tampering") { threat ->
val threatType = threat.getThreatType()
val confidence = threat.getConfidence()
val metadata = threat.getMetadata()
when (threatType) {
"signature_mismatch" -> {
Log.e("Security", "APK signature mismatch detected!")
val expectedHash = metadata["expectedSignatureHash"] as? String
val actualHash = metadata["actualSignatureHash"] as? String
Log.d("Hashes", "Expected: $expectedHash, Actual: $actualHash")
}
"signature_extraction_failure" -> {
Log.w("Security", "Failed to extract signature: $confidence confidence")
}
"verification_failure" -> {
Log.w("Security", "Verification failed: $confidence confidence")
}
}
}
config.addProtection(
ProtectionModuleType.TAMPERING_DETECTION,
"handle-tampering",
300000
)
}Java - Basic Integration
Java
import com.bytehide.monitor.Monitor;
import com.bytehide.monitor.core.action.ActionType;
import com.bytehide.monitor.core.protection.ProtectionModuleType;
public class SecurityManager {
public void initializeTamperingProtection() {
Monitor.configure(config -> {
config.addProtection(
ProtectionModuleType.TAMPERING_DETECTION,
ActionType.CLOSE,
300000
);
});
}
}import com.bytehide.monitor.Monitor;
import com.bytehide.monitor.core.action.ActionType;
import com.bytehide.monitor.core.protection.ProtectionModuleType;
public class SecurityManager {
public void initializeTamperingProtection() {
Monitor.configure(config -> {
config.addProtection(
ProtectionModuleType.TAMPERING_DETECTION,
ActionType.CLOSE,
300000
);
});
}
}Platform Compatibility
| Platform | Status | Notes |
|---|---|---|
| Android 5.0+ | ✓ Fully Supported | APK signature verification via PackageManager |
| Android 11+ | ✓ Optimized | Enhanced reflection for signature extraction |
| Google Play | ✓ Recommended | Compatible with Play Integrity API |
| Side-loaded Apps | ✓ Protected | Works with manually installed APKs |
Performance Impact
- CPU Impact: 1-2% increase during detection cycles
- Memory Overhead: ~200 KB for hash cache
- Detection Latency: 50-150 ms per cycle
- Battery Impact: Minimal (5-minute intervals with caching)
Threat Detection Details
JSON
{
"detection": {
"threatType": "signature_mismatch",
"timestamp": "2026-03-03T15:10:22.987Z",
"description": "APK signature hash mismatch with license binding",
"confidence": 1.0,
"metadata": {
"detectionMethod": "apk_signature_verification",
"expectedSignatureHash": "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6",
"actualSignatureHash": "z9y8x7w6v5u4t3s2r1q0p9o8n7m6l5k4",
"certificateStatus": "valid",
"jwtTokenStatus": "verified",
"licenseBindingValid": false
}
}
}{
"detection": {
"threatType": "signature_mismatch",
"timestamp": "2026-03-03T15:10:22.987Z",
"description": "APK signature hash mismatch with license binding",
"confidence": 1.0,
"metadata": {
"detectionMethod": "apk_signature_verification",
"expectedSignatureHash": "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6",
"actualSignatureHash": "z9y8x7w6v5u4t3s2r1q0p9o8n7m6l5k4",
"certificateStatus": "valid",
"jwtTokenStatus": "verified",
"licenseBindingValid": false
}
}
}JSON
{
"detection": {
"threatType": "signature_extraction_failure",
"timestamp": "2026-03-03T15:11:45.654Z",
"description": "Unable to extract APK signature for verification",
"confidence": 0.8,
"metadata": {
"detectionMethod": "reflection_based_extraction",
"failureReason": "PackageManager unavailable",
"fallbackVerification": "pending"
}
}
}{
"detection": {
"threatType": "signature_extraction_failure",
"timestamp": "2026-03-03T15:11:45.654Z",
"description": "Unable to extract APK signature for verification",
"confidence": 0.8,
"metadata": {
"detectionMethod": "reflection_based_extraction",
"failureReason": "PackageManager unavailable",
"fallbackVerification": "pending"
}
}
}