Hooking Detection
| Plan | Platforms | MASVS |
|---|---|---|
| Team | iOS | MASVS-RESILIENCE-4 |
Overview
Hooking Detection identifies signs that an iOS app is running in an environment where runtime instrumentation, method interception, or jailbreak-based modification may be active. It helps protect sensitive flows from tools that can inspect memory, alter Objective-C or Swift behavior, bypass checks, or automate abuse.
When hooking activity is detected, AppTego applies the response configured for your tenant. The response can log the event, warn the user, redirect them, or close the app for high-risk workflows.
When To Use It
Use this control for apps that need additional protection around:
- Login, session refresh, wallet, payment, transfer, or approval flows.
- Paid content, entitlement checks, license enforcement, or anti-cheat logic.
- Proprietary business rules or cryptographic material that could be inspected at runtime.
- Regulated data where runtime manipulation would create compliance or fraud risk.
How It Works
The control checks for multiple classes of iOS runtime manipulation indicators, including suspicious loaded components, modified execution paths, and signs of instrumentation in the app process. AppTego intentionally keeps the exact signatures and inspection order out of public documentation so detection logic can evolve without publishing an attacker checklist.
Detection runs as part of the protected runtime and fires your configured response when the environment appears unsafe.
How to Enable the Control
Navigate to Detection & Response from the AppTego portal, and expand the Runtime Attack Detection section. Under this section you will find the Hooking Detection control. Click Enable Configuration, choose the response action, and save the configuration for the next build or for it to be applied with a live push (if enabled).
API Configuration Example
{
"HookingDetectionResponse": {
"detection": true,
"action": "alert",
"title": "Security Threat Detected",
"message": "This app cannot continue while runtime modification tools appear to be active.",
"buttons": ["OK"],
"actions": ["close"],
"redirects": [""]
}
}| Field | Purpose |
|---|---|
detection | Enables or disables iOS hooking detection. |
action | Selects the response style, such as alert, close, log, or warn. |
title / message | User-facing text shown when a response is displayed. |
buttons / actions / redirects | Defines the available response buttons and their outcomes. |
Compatibility Notes
- Development and debugging frameworks can resemble instrumentation. Keep those tools out of release builds or use a softer response in staging.
- Some crash reporting or diagnostic SDKs use advanced runtime techniques. Test with your production SDK set before enforcing a hard block.
- iOS runtime threats often overlap with jailbreak risk. Use Jailbreak Detection alongside this control for stronger coverage.
- For critical actions, consider pairing client-side response with server-side risk scoring.