Clock Tampering Detection
Protection Module: ClockTampering
Detects if the system clock has been manipulated to bypass time-based restrictions.
Available for:
- Desktop Applications
- Mobile Applications
- Server Applications
How It Works
Clock Tampering Detection monitors system time changes to identify manipulation attempts used to bypass trial periods, licenses, or time-based features.
Detection Methods:
- Time Jump Detection - Identifies sudden backward/forward time changes
- Monotonic Clock Validation - Compares system time vs monotonic clock
- NTP Server Validation - Optional verification against network time servers
- Boot Time Analysis - Detects system time set before boot time
- Time Consistency Checks - Validates time progression between checks
Common Tampering Scenarios:
- Trial period extension by setting clock backward
- License expiration bypass
- Time-limited feature abuse
- Subscription validation circumvention
- Session timeout bypass
Configuration
JSON Configuration
JSON
{
"protections": {
"ClockTampering": {
"enabled": true,
"action": "close"
}
}
}{
"protections": {
"ClockTampering": {
"enabled": true,
"action": "close"
}
}
}Code-Based Configuration
C#
await Payload.ConfigureAsync(config =>
{
config.AddProtection(ProtectionModuleType.ClockTampering, ActionType.Close);
});await Payload.ConfigureAsync(config =>
{
config.AddProtection(ProtectionModuleType.ClockTampering, ActionType.Close);
});Advanced Configuration
JSON
{
"protections": {
"ClockTampering": {
"enabled": true,
"action": "close",
"intervalMs": 300000,
"config": {
"maxAllowedSkew": 60,
"useNTP": false,
"ntpServers": ["pool.ntp.org"],
"detectBackwardJumps": true,
"detectForwardJumps": true
}
}
}
}{
"protections": {
"ClockTampering": {
"enabled": true,
"action": "close",
"intervalMs": 300000,
"config": {
"maxAllowedSkew": 60,
"useNTP": false,
"ntpServers": ["pool.ntp.org"],
"detectBackwardJumps": true,
"detectForwardJumps": true
}
}
}
}Available Actions
| Action | Behavior | Recommended For |
|---|---|---|
| Close | Terminate application | Trial software, time-based licenses |
| Log | Record tampering and continue | Analytics, monitoring |
| Custom | Execute custom handler | Grace periods, user warnings |
| None | Detect only | Testing |
Configuration Parameters
JSON
{
"config": {
"maxAllowedSkew": 60,
"useNTP": false,
"ntpServers": ["pool.ntp.org", "time.google.com"],
"detectBackwardJumps": true,
"detectForwardJumps": true,
"allowTimezoneChanges": true
}
}{
"config": {
"maxAllowedSkew": 60,
"useNTP": false,
"ntpServers": ["pool.ntp.org", "time.google.com"],
"detectBackwardJumps": true,
"detectForwardJumps": true,
"allowTimezoneChanges": true
}
}| Parameter | Description | Default | Unit |
|---|---|---|---|
maxAllowedSkew | Maximum allowed time deviation | 60 | seconds |
useNTP | Validate against NTP servers | false | boolean |
ntpServers | NTP servers for validation | [] | array |
detectBackwardJumps | Detect backward time changes | true | boolean |
detectForwardJumps | Detect forward time changes | true | boolean |
allowTimezoneChanges | Allow timezone changes | true | boolean |
NTP Requirement
When useNTP: true, the application requires internet connectivity. This may not be suitable for offline applications.
When to Use
Recommended for:
- Trial/Shareware Software - Prevent trial period extension
- Time-Based Licenses - Validate license expiration dates
- Subscription Apps - Verify subscription validity
- Time-Limited Features - Enforce feature expiration
- Gaming - Prevent time-based exploit farming
- Financial Apps - Ensure accurate timestamps
Not recommended for:
- Applications without time-based restrictions
- Apps that need to run with incorrect system time
- Embedded systems with unreliable clocks
Code Examples
Trial Period Protection
C#
config.RegisterCustomAction("trial-tampering-handler", async (threat) =>
{
var tamperingType = threat.Metadata["tamperingType"]?.ToString();
await File.AppendAllTextAsync("security.log",
$"[{DateTime.UtcNow}] Clock tampering detected: {tamperingType}\n");
await ShowMessageAsync(
"Security Violation",
"System clock manipulation detected. The trial period cannot be extended by changing system time."
);
await Task.Delay(5000);
Environment.Exit(-1);
});
config.AddProtection(ProtectionModuleType.ClockTampering, "trial-tampering-handler");config.RegisterCustomAction("trial-tampering-handler", async (threat) =>
{
var tamperingType = threat.Metadata["tamperingType"]?.ToString();
await File.AppendAllTextAsync("security.log",
$"[{DateTime.UtcNow}] Clock tampering detected: {tamperingType}\n");
await ShowMessageAsync(
"Security Violation",
"System clock manipulation detected. The trial period cannot be extended by changing system time."
);
await Task.Delay(5000);
Environment.Exit(-1);
});
config.AddProtection(ProtectionModuleType.ClockTampering, "trial-tampering-handler");License Validation with Grace Period
C#
config.RegisterCustomAction("license-tampering-handler", async (threat) =>
{
var skewSeconds = (int)(threat.Metadata["timeSkew"] ?? 0);
// Allow small clock adjustments (DST, manual correction)
if (Math.Abs(skewSeconds) < 300) // 5 minutes
{
await LogSecurityEventAsync("clock_skew_minor", skewSeconds);
return;
}
// Show warning for moderate tampering
if (Math.Abs(skewSeconds) < 3600) // 1 hour
{
await ShowWarningAsync(
"Time Sync Issue",
"System clock appears incorrect. Please verify your system time settings."
);
return;
}
// Critical tampering - enforce license
var license = await ValidateLicenseAsync();
if (!license.IsValid || license.IsExpired)
{
await ShowLicenseExpiredDialog();
Environment.Exit(-1);
}
});config.RegisterCustomAction("license-tampering-handler", async (threat) =>
{
var skewSeconds = (int)(threat.Metadata["timeSkew"] ?? 0);
// Allow small clock adjustments (DST, manual correction)
if (Math.Abs(skewSeconds) < 300) // 5 minutes
{
await LogSecurityEventAsync("clock_skew_minor", skewSeconds);
return;
}
// Show warning for moderate tampering
if (Math.Abs(skewSeconds) < 3600) // 1 hour
{
await ShowWarningAsync(
"Time Sync Issue",
"System clock appears incorrect. Please verify your system time settings."
);
return;
}
// Critical tampering - enforce license
var license = await ValidateLicenseAsync();
if (!license.IsValid || license.IsExpired)
{
await ShowLicenseExpiredDialog();
Environment.Exit(-1);
}
});NTP Validation for Critical Apps
C#
// Configure with NTP validation
await Payload.ConfigureAsync(config =>
{
config.RegisterCustomAction("ntp-validation", async (threat) =>
{
var localTime = DateTime.Now;
var ntpTime = await GetNtpTimeAsync("pool.ntp.org");
var diff = Math.Abs((ntpTime - localTime).TotalSeconds);
if (diff > 120) // 2 minutes skew
{
await ShowMessageAsync(
"Time Sync Required",
$"Your system clock is {diff:F0} seconds off. " +
"Please sync with internet time before using this application."
);
Environment.Exit(-1);
}
});
config.AddProtection(ProtectionModuleType.ClockTampering, "ntp-validation");
});// Configure with NTP validation
await Payload.ConfigureAsync(config =>
{
config.RegisterCustomAction("ntp-validation", async (threat) =>
{
var localTime = DateTime.Now;
var ntpTime = await GetNtpTimeAsync("pool.ntp.org");
var diff = Math.Abs((ntpTime - localTime).TotalSeconds);
if (diff > 120) // 2 minutes skew
{
await ShowMessageAsync(
"Time Sync Required",
$"Your system clock is {diff:F0} seconds off. " +
"Please sync with internet time before using this application."
);
Environment.Exit(-1);
}
});
config.AddProtection(ProtectionModuleType.ClockTampering, "ntp-validation");
});Gaming Time-Based Rewards
C#
config.RegisterCustomAction("gaming-time-check", async (threat) =>
{
var tamperingType = threat.Metadata["tamperingType"]?.ToString();
// Log to anti-cheat system
await AntiCheatService.ReportTimeManipulation(
CurrentPlayer.Id,
tamperingType,
threat.Metadata
);
// Reset time-based rewards
await PlayerProgressService.ResetDailyRewards(CurrentPlayer.Id);
// Show warning
await ShowInGameMessage(
"Time manipulation detected. Daily rewards have been reset."
);
});config.RegisterCustomAction("gaming-time-check", async (threat) =>
{
var tamperingType = threat.Metadata["tamperingType"]?.ToString();
// Log to anti-cheat system
await AntiCheatService.ReportTimeManipulation(
CurrentPlayer.Id,
tamperingType,
threat.Metadata
);
// Reset time-based rewards
await PlayerProgressService.ResetDailyRewards(CurrentPlayer.Id);
// Show warning
await ShowInGameMessage(
"Time manipulation detected. Daily rewards have been reset."
);
});Detection Scenarios
Backward Time Jump
C#
// User sets clock from 2025-12-28 to 2025-12-20
// Threat metadata:
{
"tamperingType": "backward-jump",
"timeSkew": -691200, // seconds backward
"previousTime": "2025-12-28T10:00:00Z",
"currentTime": "2025-12-20T10:00:00Z"
}// User sets clock from 2025-12-28 to 2025-12-20
// Threat metadata:
{
"tamperingType": "backward-jump",
"timeSkew": -691200, // seconds backward
"previousTime": "2025-12-28T10:00:00Z",
"currentTime": "2025-12-20T10:00:00Z"
}Forward Time Jump
C#
// User sets clock from 2025-12-28 to 2026-01-15
// Threat metadata:
{
"tamperingType": "forward-jump",
"timeSkew": 1555200, // seconds forward
"previousTime": "2025-12-28T10:00:00Z",
"currentTime": "2026-01-15T10:00:00Z"
}// User sets clock from 2025-12-28 to 2026-01-15
// Threat metadata:
{
"tamperingType": "forward-jump",
"timeSkew": 1555200, // seconds forward
"previousTime": "2025-12-28T10:00:00Z",
"currentTime": "2026-01-15T10:00:00Z"
}Timezone Change (Allowed)
C#
// User changes timezone from UTC-5 to UTC+2
// If allowTimezoneChanges: true, this is not flagged// User changes timezone from UTC-5 to UTC+2
// If allowTimezoneChanges: true, this is not flaggedPerformance Impact
Detection Time: <5ms per check CPU Usage: Negligible Memory: <100 KB Network: Only if useNTP: true
Recommended Interval: 300000ms (5 minutes)
Platform Compatibility
| Platform | Support | Notes |
|---|---|---|
| Windows | ✔ | Full support with WinAPI |
| Linux | ✔ | Uses CLOCK_MONOTONIC |
| macOS | ✔ | Uses mach_absolute_time |
| Android | ✔ | SystemClock.elapsedRealtime() |
| iOS | ✔ | CACurrentMediaTime() |
| .NET 6+ | ✔ | Full support |
| .NET Framework 4.6.2+ | ✔ | Full support |
Threat Detection Details
JSON
{
"threatId": "CLK-2025-12-28-2345",
"description": "System clock tampering detected",
"moduleType": "ClockTampering",
"detectedAt": "2025-12-28T18:20:00Z",
"confidence": 0.98,
"metadata": {
"tamperingType": "backward-jump",
"timeSkew": -259200,
"previousTime": "2025-12-28T10:00:00Z",
"currentTime": "2025-12-25T10:00:00Z",
"monotonicTime": 1234567890,
"bootTime": "2025-12-27T08:00:00Z"
}
}{
"threatId": "CLK-2025-12-28-2345",
"description": "System clock tampering detected",
"moduleType": "ClockTampering",
"detectedAt": "2025-12-28T18:20:00Z",
"confidence": 0.98,
"metadata": {
"tamperingType": "backward-jump",
"timeSkew": -259200,
"previousTime": "2025-12-28T10:00:00Z",
"currentTime": "2025-12-25T10:00:00Z",
"monotonicTime": 1234567890,
"bootTime": "2025-12-27T08:00:00Z"
}
}Best Practices
- Store Last Verification Time Securely
C#
// Don't store in plain text files
// Use encrypted storage or server-side validation
await SecureStorage.SetAsync("last_time_check", DateTime.UtcNow.ToString());// Don't store in plain text files
// Use encrypted storage or server-side validation
await SecureStorage.SetAsync("last_time_check", DateTime.UtcNow.ToString());- Combine with Server Validation
C#
// For critical apps, validate with backend
var serverTime = await ApiClient.GetServerTimeAsync();
ValidateAgainstServerTime(serverTime);// For critical apps, validate with backend
var serverTime = await ApiClient.GetServerTimeAsync();
ValidateAgainstServerTime(serverTime);- Allow Grace Period for Legitimate Adjustments
C#
// Small time adjustments are normal (NTP sync, DST)
if (Math.Abs(timeSkew) < 300) // 5 minutes
{
// Allow it
return;
}// Small time adjustments are normal (NTP sync, DST)
if (Math.Abs(timeSkew) < 300) // 5 minutes
{
// Allow it
return;
}Related Protections
- Tampering Detection - Code modifications
- Debugger Detection - Debug prevention
- License Binding - Hardware binding