Network Tampering Detection
Protection Module: NetworkTampering
Detects network-level attacks including proxies, MITM tools, and certificate manipulation.
Available for:
- Desktop Applications
- Mobile Applications
- Server Applications
How It Works
Network Tampering Detection monitors network configuration and traffic patterns to identify interception attempts.
Detection Methods:
- Proxy Detection - Identifies system proxies and proxy tools
- MITM Tool Detection - Detects Fiddler, Burp Suite, Charles Proxy, mitmproxy
- Certificate Validation - Identifies invalid or suspicious certificates
- SSL Pinning Violations - Detects certificate pinning bypasses
- DNS Tampering - Identifies DNS hijacking or spoofing
- Traffic Pattern Analysis - Detects unusual network behavior
Common Tools Detected:
- Fiddler
- Burp Suite
- Charles Proxy
- mitmproxy
- OWASP ZAP
- Wireshark (in capture mode)
- HTTP Toolkit
Configuration
JSON Configuration
JSON
{
"protections": {
"NetworkTampering": {
"enabled": true,
"action": "close",
"intervalMs": 60000
}
}
}{
"protections": {
"NetworkTampering": {
"enabled": true,
"action": "close",
"intervalMs": 60000
}
}
}Code-Based Configuration
C#
await Payload.ConfigureAsync(config =>
{
config.AddProtection(ProtectionModuleType.NetworkTampering, ActionType.Close);
});await Payload.ConfigureAsync(config =>
{
config.AddProtection(ProtectionModuleType.NetworkTampering, ActionType.Close);
});Advanced Configuration
JSON
{
"protections": {
"NetworkTampering": {
"enabled": true,
"action": "close",
"intervalMs": 60000,
"config": {
"detectProxies": true,
"detectMitmTools": true,
"validateCertificates": true,
"enableSslPinning": true,
"allowedProxies": [],
"trustedCertificates": []
}
}
}
}{
"protections": {
"NetworkTampering": {
"enabled": true,
"action": "close",
"intervalMs": 60000,
"config": {
"detectProxies": true,
"detectMitmTools": true,
"validateCertificates": true,
"enableSslPinning": true,
"allowedProxies": [],
"trustedCertificates": []
}
}
}
}Available Actions
| Action | Behavior | Recommended For |
|---|---|---|
| Close | Terminate immediately | Banking apps, DRM |
| Log | Record detection and continue | Analytics, monitoring |
| Custom | Execute custom handler | User warnings, fallback |
Configuration Parameters
| Parameter | Description | Default |
|---|---|---|
detectProxies | Detect system proxy configuration | true |
detectMitmTools | Detect known MITM tools | true |
validateCertificates | Validate SSL/TLS certificates | true |
enableSslPinning | Enable certificate pinning | true |
allowedProxies | Whitelist of allowed proxies | [] |
trustedCertificates | Trusted certificate thumbprints | [] |
When to Use
Strongly Recommended for:
- Banking and financial applications
- Payment processing apps
- DRM-protected content
- License validation systems
- Healthcare applications (HIPAA)
- Enterprise apps with sensitive data
Code Example - API Client Protection:
C#
config.RegisterCustomAction("network-security-handler", async (threat) =>
{
var detectionType = threat.Metadata["detectionType"]?.ToString();
var toolName = threat.Metadata["toolName"]?.ToString();
await SecurityLogger.LogCriticalAsync(new
{
Type = "NetworkTampering",
DetectionType = detectionType,
Tool = toolName,
Timestamp = DateTime.UtcNow,
UserAgent = HttpContext.Request.Headers["User-Agent"]
});
// Notify user
await ShowSecurityWarningAsync(
"Network Security Alert",
$"Suspicious network activity detected ({detectionType}). " +
"Please ensure you're not using a proxy or network monitoring tool."
);
// For critical apps, terminate
if (detectionType == "MitmTool" || detectionType == "CertificateInvalid")
{
Environment.Exit(-1);
}
});config.RegisterCustomAction("network-security-handler", async (threat) =>
{
var detectionType = threat.Metadata["detectionType"]?.ToString();
var toolName = threat.Metadata["toolName"]?.ToString();
await SecurityLogger.LogCriticalAsync(new
{
Type = "NetworkTampering",
DetectionType = detectionType,
Tool = toolName,
Timestamp = DateTime.UtcNow,
UserAgent = HttpContext.Request.Headers["User-Agent"]
});
// Notify user
await ShowSecurityWarningAsync(
"Network Security Alert",
$"Suspicious network activity detected ({detectionType}). " +
"Please ensure you're not using a proxy or network monitoring tool."
);
// For critical apps, terminate
if (detectionType == "MitmTool" || detectionType == "CertificateInvalid")
{
Environment.Exit(-1);
}
});Detection Scenarios
System Proxy Detected
JSON
{
"detectionType": "SystemProxy",
"proxyAddress": "127.0.0.1:8888",
"proxyType": "HTTP"
}{
"detectionType": "SystemProxy",
"proxyAddress": "127.0.0.1:8888",
"proxyType": "HTTP"
}MITM Tool Detected
JSON
{
"detectionType": "MitmTool",
"toolName": "Fiddler",
"processId": 12345,
"certificateIssuer": "DO_NOT_TRUST_FiddlerRoot"
}{
"detectionType": "MitmTool",
"toolName": "Fiddler",
"processId": 12345,
"certificateIssuer": "DO_NOT_TRUST_FiddlerRoot"
}Certificate Pinning Violation
JSON
{
"detectionType": "SslPinningViolation",
"expectedThumbprint": "ABC123...",
"actualThumbprint": "XYZ789...",
"host": "api.example.com"
}{
"detectionType": "SslPinningViolation",
"expectedThumbprint": "ABC123...",
"actualThumbprint": "XYZ789...",
"host": "api.example.com"
}Performance Impact
Detection Time: <10ms per check CPU Usage: Negligible Memory: <200 KB Network: No additional network calls
Recommended Interval: 60000ms (1 minute)
Platform Compatibility
| Platform | Support | Notes |
|---|---|---|
| Windows | ✔ | Full support with WinHTTP API |
| Linux | ✔ | Proxy detection via environment vars |
| macOS | ✔ | System Configuration framework |
| Android | ✔ | Network security config |
| iOS | ✔ | NSURLSession security |
| .NET 6+ | ✔ | Full support |
| .NET Framework 4.6.2+ | ✔ | Full support |
SSL Pinning Example
C#
// Configure SSL pinning for specific hosts
await Payload.ConfigureAsync(config =>
{
config.AddProtection(
ProtectionModuleType.NetworkTampering,
ActionType.Close,
new
{
enableSslPinning = true,
trustedCertificates = new[]
{
new
{
host = "api.example.com",
thumbprint = "ABC123DEF456..." // SHA256 thumbprint
}
}
}
);
});// Configure SSL pinning for specific hosts
await Payload.ConfigureAsync(config =>
{
config.AddProtection(
ProtectionModuleType.NetworkTampering,
ActionType.Close,
new
{
enableSslPinning = true,
trustedCertificates = new[]
{
new
{
host = "api.example.com",
thumbprint = "ABC123DEF456..." // SHA256 thumbprint
}
}
}
);
});Mobile-Specific Configuration
Android
C#
// Detect proxy via Android System Settings
config.RegisterCustomAction("android-proxy-check", async (threat) =>
{
if (threat.Metadata["detectionType"]?.ToString() == "SystemProxy")
{
await Android.App.AlertDialog.Builder(context)
.SetTitle("Proxy Detected")
.SetMessage("This app cannot run with a proxy enabled.")
.SetPositiveButton("OK", (s, e) => Process.KillProcess(Process.MyPid()))
.Show();
}
});// Detect proxy via Android System Settings
config.RegisterCustomAction("android-proxy-check", async (threat) =>
{
if (threat.Metadata["detectionType"]?.ToString() == "SystemProxy")
{
await Android.App.AlertDialog.Builder(context)
.SetTitle("Proxy Detected")
.SetMessage("This app cannot run with a proxy enabled.")
.SetPositiveButton("OK", (s, e) => Process.KillProcess(Process.MyPid()))
.Show();
}
});iOS
C#
// iOS Network Security
config.RegisterCustomAction("ios-network-check", async (threat) =>
{
var alert = UIAlertController.Create(
"Network Security",
"Network tampering detected. Please disable any VPN or proxy.",
UIAlertControllerStyle.Alert
);
alert.AddAction(UIAlertAction.Create("Exit", UIAlertActionStyle.Destructive,
_ => Thread.CurrentThread.Abort()
));
await PresentViewControllerAsync(alert, true);
});// iOS Network Security
config.RegisterCustomAction("ios-network-check", async (threat) =>
{
var alert = UIAlertController.Create(
"Network Security",
"Network tampering detected. Please disable any VPN or proxy.",
UIAlertControllerStyle.Alert
);
alert.AddAction(UIAlertAction.Create("Exit", UIAlertActionStyle.Destructive,
_ => Thread.CurrentThread.Abort()
));
await PresentViewControllerAsync(alert, true);
});Best Practices
- Combine with Certificate Pinning
C#
// Use both network tampering detection AND certificate pinning
options.EnableNetworkTamperingDetection();
options.EnableCertificatePinning("api.example.com", "thumbprint");// Use both network tampering detection AND certificate pinning
options.EnableNetworkTamperingDetection();
options.EnableCertificatePinning("api.example.com", "thumbprint");- Whitelist Corporate Proxies
JSON
{
"config": {
"allowedProxies": [
"proxy.company.com:8080"
]
}
}{
"config": {
"allowedProxies": [
"proxy.company.com:8080"
]
}
}- Gradual Response for Less Critical Apps
C#
// Don't immediately terminate - warn first
if (isFirstDetection)
{
await ShowWarningAsync("Please disable proxy tools");
}
else
{
Environment.Exit(-1);
}// Don't immediately terminate - warn first
if (isFirstDetection)
{
await ShowWarningAsync("Please disable proxy tools");
}
else
{
Environment.Exit(-1);
}Threat Detection Details
JSON
{
"threatId": "NET-2025-12-28-3456",
"description": "Network tampering detected",
"moduleType": "NetworkTampering",
"detectedAt": "2025-12-28T18:30:00Z",
"confidence": 0.95,
"metadata": {
"detectionType": "MitmTool",
"toolName": "Fiddler",
"proxyAddress": "127.0.0.1:8888",
"certificateIssuer": "DO_NOT_TRUST_FiddlerRoot",
"processId": 12345,
"processPath": "C:\\Program Files\\Fiddler\\Fiddler.exe"
}
}{
"threatId": "NET-2025-12-28-3456",
"description": "Network tampering detected",
"moduleType": "NetworkTampering",
"detectedAt": "2025-12-28T18:30:00Z",
"confidence": 0.95,
"metadata": {
"detectionType": "MitmTool",
"toolName": "Fiddler",
"proxyAddress": "127.0.0.1:8888",
"certificateIssuer": "DO_NOT_TRUST_FiddlerRoot",
"processId": 12345,
"processPath": "C:\\Program Files\\Fiddler\\Fiddler.exe"
}
}Related Protections
Actions
Configure responses
Custom Actions
Create handlers