/

Tampering Detection

Protection Module: TamperingDetection

Available For

PlatformVersionStatus
iOS12.0+✓ Full Support (requires code signing)
iPadOS12.0+✓ Full Support (requires code signing)
tvOS12.0+✓ Supported

How It Works

The Tampering Detection module continuously verifies that your application code and resources have not been modified after installation. It validates code signatures, bundle integrity, and detects tampering attempts:

Detection Techniques

  • Code Signature Verification: Uses SecCodeCheckValidity equivalent mechanisms to verify embedded.mobileprovision signature integrity and confirm the app was signed with the correct certificate.
  • Bundle ID Validation: Compares the runtime Bundle ID against the expected Bundle ID from Info.plist to detect bundle swapping attacks.
  • embedded.mobileprovision Integrity: Validates the mobile provisioning profile embedded in the app to ensure it hasn't been replaced or tampered with.
  • CodeResources Validation: Verifies the CodeResources (resource fork) file that contains hashes of all app resources to detect resource modification.
  • Info.plist Modification Detection: Monitors the main Info.plist file for unauthorized modifications to app configuration.

Detection Confidence: 1.0 for signature mismatches (100% - guaranteed detection)

Default Interval: 300 seconds (5 minutes)

Caching: Cached permanently (code doesn't change at runtime)

JSON Configuration

JSON
{
  "protections": [
    {
      "type": "TamperingDetection",
      "action": "erase",
      "intervalMs": 300000
    }
  ]
}

Code-Based Configuration

Swift

Swift
import ByteHideMonitor

BHMMonitor.configure { config in
    config.enableProtection(.tamperingDetection, action: .erase, intervalMs: 300000)
}

Objective-C

OBJC
#import <ByteHideMonitor/ByteHideMonitor.h>

[BHMMonitor configure:^(BHMMonitorConfiguration *config) {
    [config enableProtection:BHMProtectionModuleTypeTamperingDetection
                      action:BHMActionTypeErase
                  intervalMs:300000];
}];

Available Actions

ActionBehaviorRecommended For
CloseTerminate application immediatelyProduction apps with critical IP
LogRecord incident and continueDevelopment, analytics
EraseSecurely delete data then terminateFinancial, healthcare apps
CustomExecute custom handlerEnterprise integrations
NoneDetect only, no actionTesting configurations

See Actions for detailed action documentation.

When to Use

  • Financial Apps: Detect and prevent execution of tampered banking apps with stored credentials
  • Healthcare Apps: Verify medical app integrity and protect patient data
  • Enterprise Software: Prevent distribution of modified company applications
  • DRM-Protected Content: Ensure only legitimate signed apps can access premium content
  • High-Security Apps: Detect app spoofing and binary modification attacks
  • Development: Use Log action to track and analyze tampering attempts

Code Examples

Swift Basic Configuration

Swift
import ByteHideMonitor

// In your AppDelegate or app initialization
BHMMonitor.configure { config in
    config.enableProtection(.tamperingDetection, action: .erase, intervalMs: 300000)
}

Swift with Custom Action

Swift
import ByteHideMonitor

BHMMonitor.configure { config in
    // Register custom handler for tampering detection
    config.registerCustomAction("tampering-handler") { context in
        let threatType = context.threatType
        let description = context.threatDescription
        let metadata = context.metadata

        // Send security alert to backend
        SecurityAPI.reportTamperingDetected(
            threatType: threatType,
            description: description,
            metadata: metadata
        )

        // Clear sensitive cached data
        URLCache.shared.removeAllCachedResponses()
        UserDefaults.standard.removeSuite(named: "com.yourapp.sensitive")

        // Log security event
        Analytics.log(event: "tampering_detected", parameters: [
            "threat_type": threatType,
            "description": description,
            "timestamp": ISO8601DateFormatter().string(from: Date())
        ])

        // Optional: Backup user data before termination
        UserDataBackup.syncToCloud()
    }

    config.enableProtection(.tamperingDetection, customAction: "tampering-handler", intervalMs: 300000)
}

Objective-C Basic Configuration

OBJC
#import <ByteHideMonitor/ByteHideMonitor.h>

[BHMMonitor configure:^(BHMMonitorConfiguration *config) {
    [config enableProtection:BHMProtectionModuleTypeTamperingDetection
                      action:BHMActionTypeErase
                  intervalMs:300000];
}];

Objective-C with Custom Action

OBJC
#import <ByteHideMonitor/ByteHideMonitor.h>

[BHMMonitor configure:^(BHMMonitorConfiguration *config) {
    [config registerCustomAction:@"tampering-handler" handler:^(BHMThreatContext *context) {
        NSString *threatType = context.threatType;
        NSString *description = context.threatDescription;
        NSDictionary *metadata = context.metadata;

        // Report to security backend
        [SecurityAPI reportTamperingDetected:threatType
                                description:description
                                   metadata:metadata];

        // Clear sensitive data
        [[NSURLCache sharedURLCache] removeAllCachedResponses];
        [[NSUserDefaults standardUserDefaults] removePersistentDomainForName:@"com.yourapp.sensitive"];

        // Log security event
        [Analytics logEvent:@"tampering_detected"
                parameters:@{
                    @"threat_type": threatType,
                    @"description": description
                }];

        // Backup user data
        [UserDataBackup syncToCloud];
    }];

    [config enableProtection:BHMProtectionModuleTypeTamperingDetection
                customAction:@"tampering-handler"
                  intervalMs:300000];
}];

Platform Compatibility

FeatureiOS 12-13iOS 14-15iOS 16+
Code Signature Verification
Bundle ID Validation
Provisioning Profile Check
CodeResources Validation
Info.plist Detection
Permanent Caching

Performance Impact

  • CPU Usage: ~0.2-0.5% per check cycle
  • Memory Overhead: <500 KB (cached results)
  • Battery Impact: Minimal with 5-minute intervals
  • First Detection: <50ms
  • I/O Impact: Brief file system access for signature validation

Threat Detection Details

JSON
{
  "threat": {
    "moduleType": "TamperingDetection",
    "threatType": "BinaryTampered",
    "threatDescription": "App binary code signature validation failed - app has been modified",
    "detectionResult": {
      "isThreat": true,
      "category": "CodeIntegrity",
      "threatDescription": "Invalid code signature detected",
      "confidence": 1.0,
      "evidence": {
        "signature_check": "failed",
        "bundle_id_mismatch": false,
        "provision_profile": "invalid",
        "code_resources": "signature_mismatch",
        "expected_bundle_id": "com.example.app",
        "actual_bundle_id": "com.example.app",
        "plist_modified": false
      },
      "timestamp": "2026-03-03T10:30:45.123Z"
    },
    "metadata": {
      "detection_method": "code_signature",
      "affected_files": ["app_binary"],
      "cache_status": "permanent",
      "check_duration_ms": 32,
      "interval_ms": 300000
    }
  }
}

Next Steps

Previous
Clock Tampering
Next
Hardware Binding