Memory Tamper Detection
| Plan | Platforms | MASVS |
|---|---|---|
| Team | iOS | MASVS-RESILIENCE-2, MASVS-RESILIENCE-4 |
Overview
Memory Tamper Detection identifies signs that an iOS app's runtime state or executable code has been modified after launch. It helps protect apps from in-memory patching, injected code, runtime manipulation, and attempts to alter security decisions while the app is running.
When memory tampering is detected, AppTego applies your configured response. High-risk apps commonly close immediately, while teams in rollout may log or warn first to evaluate production behavior.
When To Use It
Use this control when your app protects:
- Authentication, payment, entitlement, wallet, or approval logic.
- Cryptographic decisions or local policy enforcement.
- Paid content, anti-cheat logic, or regulated data access.
- Any workflow where runtime state manipulation would create financial, privacy, or compliance risk.
How It Works
The protected app establishes runtime integrity expectations and checks for signs that critical state or executable code has changed unexpectedly. The control is designed to focus on higher-confidence signals so legitimate app frameworks are less likely to trigger false positives.
AppTego does not publish exact canary names, memory checks, timing, thresholds, or validation sequence in public documentation. Those details are part of the protection logic and may change as iOS, app frameworks, and attacker tooling evolve.
How to Enable the Control
Navigate to Detection & Response from the AppTego portal, and expand the Runtime Attack Detection section. Under this section you will find the Memory Tamper Detection control. Click Enable Configuration, choose the response action, and save the configuration for the next build or for it to be applied with a live push (if enabled).
API Configuration Example
{
"MemoryTamperDetectionResponse": {
"detection": true,
"action": "alert",
"title": "Security Alert",
"message": "Memory tampering has been detected. The application will now close to protect your data.",
"buttons": ["OK"],
"actions": ["close"],
"redirects": [""]
}
}| Field | Purpose |
|---|---|
detection | Enables or disables memory tamper detection. |
action | Selects the response style, such as alert, close, log, or warn. |
title / message | User-facing text shown when a response is displayed. |
buttons / actions / redirects | Defines the available response buttons and their outcomes. |
Compatibility Notes
- Apps using web views, game engines, JavaScript runtimes, or cross-platform frameworks should test representative production flows before enforcing a hard block.
- No memory tamper control can guarantee detection on a fully controlled device. Use it as one layer in a broader runtime protection strategy.
- Pair this control with Jailbreak Detection, Hooking Detection, Debugger Detection, App Tamper Detection, and Apple App Attest.