/

Network Tampering Detection

Protection Module: NetworkTampering

Available For

PlatformVersionStatus
iOS12.0+✓ Full Support
iPadOS12.0+✓ Full Support (requires NEVPNManager entitlement)
tvOS12.0+✓ Supported

How It Works

The Network Tampering Detection module monitors network configuration for signs of interception, proxying, and DNS manipulation. It detects common man-in-the-middle attack vectors:

Detection Techniques

  • Proxy Detection: Uses CFNetworkCopySystemProxySettings() to detect HTTP/HTTPS/SOCKS proxies configured on the device that could intercept traffic.
  • VPN Detection: Analyzes VPN status via NEVPNManager and monitors network interfaces for VPN tunnel interfaces (utun, ppp, ipsec) indicating active VPN connections.
  • DNS Validation: Performs DNS lookups on known domains and validates responses against expected values to detect DNS hijacking and spoofing.

Detection Confidence:

  • Proxy detection: 0.8 (80%)
  • VPN detection: 0.7 (70%)
  • DNS validation: 0.9 (90%)

Default Interval: 300 seconds (5 minutes)

JSON Configuration

JSON
{
  "protections": [
    {
      "type": "NetworkTampering",
      "action": "close",
      "intervalMs": 300000
    }
  ]
}

Code-Based Configuration

Swift

Swift
import ByteHideMonitor

BHMMonitor.configure { config in
    config.enableProtection(.networkTampering, action: .close, intervalMs: 300000)
}

Objective-C

OBJC
#import <ByteHideMonitor/ByteHideMonitor.h>

[BHMMonitor configure:^(BHMMonitorConfiguration *config) {
    [config enableProtection:BHMProtectionModuleTypeNetworkTampering
                      action:BHMActionTypeClose
                  intervalMs:300000];
}];

Available Actions

ActionBehaviorRecommended For
CloseTerminate application immediatelyProduction apps with critical IP
LogRecord incident and continueDevelopment, analytics
EraseSecurely delete data then terminateFinancial, healthcare apps
CustomExecute custom handlerEnterprise integrations
NoneDetect only, no actionTesting configurations

See Actions for detailed action documentation.

When to Use

  • Financial Apps: Prevent credential interception and transaction tampering via proxies
  • Banking Applications: Detect man-in-the-middle attacks on authentication flows
  • Healthcare Apps: Ensure HIPAA compliance by preventing network interception
  • API Clients: Protect API keys and sensitive data transmission
  • Enterprise Apps: Enforce network security policies for corporate data
  • Streaming Services: Prevent content interception and licensing bypass
  • Development: Use Log action to track network configuration changes

Code Examples

Swift Basic Configuration

Swift
import ByteHideMonitor

// In your AppDelegate or app initialization
BHMMonitor.configure { config in
    config.enableProtection(.networkTampering, action: .close, intervalMs: 300000)
}

Swift with Custom Action

Swift
import ByteHideMonitor

BHMMonitor.configure { config in
    // Register custom handler for network tampering detection
    config.registerCustomAction("network-tampering-handler") { context in
        let threatType = context.threatType
        let description = context.threatDescription
        let metadata = context.metadata

        // Extract network configuration details
        if let evidence = context.detectionResult?.evidence {
            let proxyDetected = evidence["proxy_configured"] as? Bool ?? false
            let vpnActive = evidence["vpn_active"] as? Bool ?? false
            let dnsIssues = evidence["dns_hijacking"] as? Bool ?? false

            // Alert user about network security issue
            if proxyDetected {
                UserAlerts.show(message: "A network proxy was detected. This may compromise your security.")
            }
            if vpnActive {
                UserAlerts.show(message: "A VPN connection is active. Disable it to continue.")
            }
        }

        // Report to security backend
        SecurityAPI.reportNetworkTampering(
            threatType: threatType,
            description: description,
            metadata: metadata
        )

        // Log to analytics
        Analytics.log(event: "network_tampering_detected", parameters: [
            "threat_type": threatType,
            "description": description,
            "timestamp": ISO8601DateFormatter().string(from: Date())
        ])
    }

    config.enableProtection(.networkTampering, customAction: "network-tampering-handler", intervalMs: 300000)
}

Objective-C Basic Configuration

OBJC
#import <ByteHideMonitor/ByteHideMonitor.h>

[BHMMonitor configure:^(BHMMonitorConfiguration *config) {
    [config enableProtection:BHMProtectionModuleTypeNetworkTampering
                      action:BHMActionTypeClose
                  intervalMs:300000];
}];

Objective-C with Custom Action

OBJC
#import <ByteHideMonitor/ByteHideMonitor.h>

[BHMMonitor configure:^(BHMMonitorConfiguration *config) {
    [config registerCustomAction:@"network-tampering-handler" handler:^(BHMThreatContext *context) {
        NSString *threatType = context.threatType;
        NSString *description = context.threatDescription;
        NSDictionary *metadata = context.metadata;

        // Extract network details
        if (context.detectionResult && context.detectionResult.evidence) {
            BOOL proxyDetected = [context.detectionResult.evidence[@"proxy_configured"] boolValue];
            BOOL vpnActive = [context.detectionResult.evidence[@"vpn_active"] boolValue];
            BOOL dnsIssues = [context.detectionResult.evidence[@"dns_hijacking"] boolValue];

            if (proxyDetected) {
                [UserAlerts show:@"A network proxy was detected"];
            }
            if (vpnActive) {
                [UserAlerts show:@"A VPN connection is active"];
            }
        }

        // Report threat
        [SecurityAPI reportNetworkTamperingWithType:threatType
                                        description:description
                                           metadata:metadata];

        // Log event
        [Analytics logEvent:@"network_tampering_detected"
                parameters:@{
                    @"threat_type": threatType,
                    @"description": description
                }];
    }];

    [config enableProtection:BHMProtectionModuleTypeNetworkTampering
                customAction:@"network-tampering-handler"
                  intervalMs:300000];
}];

Platform Compatibility

FeatureiOS 12-13iOS 14-15iOS 16+
Proxy Detection
VPN Detection
Network Interface Analysis
DNS Validation
NEVPNManager Integration
Continuous Monitoring

Note: VPN detection requires the com.apple.developer.networking.vpn entitlement for full NEVPNManager access on iOS 14+.

Performance Impact

  • CPU Usage: ~0.3-0.6% per check cycle (varies with DNS lookups)
  • Memory Overhead: <600 KB
  • Battery Impact: Low with 5-minute intervals
  • Network Usage: One DNS query per check (minimal bandwidth)
  • First Detection: <100ms for proxy/VPN, <500ms for DNS validation

Threat Detection Details

JSON
{
  "threat": {
    "moduleType": "NetworkTampering",
    "threatType": "ProxyDetected",
    "threatDescription": "HTTP proxy configured on device - network traffic may be intercepted",
    "detectionResult": {
      "isThreat": true,
      "category": "NetworkSecurity",
      "threatDescription": "Network proxy and/or VPN detected",
      "confidence": 0.85,
      "evidence": {
        "proxy_configured": true,
        "proxy_host": "192.168.1.100",
        "proxy_port": 8080,
        "vpn_active": false,
        "vpn_name": null,
        "dns_hijacking": false,
        "interfaces": [
          {
            "name": "en0",
            "type": "ethernet",
            "status": "active"
          }
        ]
      },
      "timestamp": "2026-03-03T10:30:45.123Z"
    },
    "metadata": {
      "detection_method": "system_proxy_settings",
      "threat_count": 1,
      "check_duration_ms": 45,
      "interval_ms": 300000,
      "dns_latency_ms": 120
    }
  }
}

Next Steps

Previous
Library Injection Detection
Next
Keychain Integrity Detection