Detection Controls
Detection controls identify risky device, app, screen, network, or runtime conditions and apply a configured response. Use them first in Log mode to understand real-world posture, then move high-confidence events to Message, Redirect, or Terminate after testing on representative devices.
For per-control setup details, open the linked control reference pages below.
A good detection rollout separates signal collection from enforcement. Logging answers "what is happening?" before stricter responses answer "what should the app do about it?"
Control Matrix
Minimum plan means the lowest public tier where the control is available. Enterprise tenants include Team controls.
| Control | Platforms | Minimum plan | Execution | Recommended first rollout |
|---|---|---|---|---|
| Accessibility Service Detection | Android | Team | Runtime | Log, then Message for sensitive workflows. |
| App Cloning Detection | Android | Team | Runtime | Log during fraud analysis, then Message or Terminate for account-abuse flows. |
| App Tamper Detection | Android, iOS | Team | Runtime integrity | Log during rollout, then Terminate for modified or repackaged builds. |
| Apple App Attest | iOS | Enterprise | Platform attestation | Log first, then enforce for supported production iOS apps. |
| Debuggable Detection | Android, iOS | Team | Runtime | Log in QA, then Terminate for production apps after validation. |
| Debugger Detection | iOS | Team | Runtime | Log in QA, then Terminate for production releases. |
| Developer Options Detection | Android, iOS | Team | Runtime | Log or Message; use as a posture signal rather than a standalone block in broad consumer apps. |
| Device Lock Detection | Android, iOS | Team | Runtime | Message with remediation guidance before enforcing. |
| Emulator Detection | Android, iOS | Team | Runtime | Terminate for production apps that should only run on physical devices. |
| Google Play Integrity | Android | Enterprise | Platform attestation | Log and tune before blocking unsupported or low-integrity devices. |
| Hook Detection | Android | Team | Runtime | Log in early rollout, then Terminate for high-risk apps. |
| Hooking Detection | iOS | Team | Runtime | Log in early rollout, then Terminate for high-risk apps. |
| Jailbreak Detection | iOS | Free | Runtime | Message or Terminate depending on policy. |
| Location Spoofing Detection | Android, iOS | Team | Runtime | Log first; false-positive tolerance depends on how location is used. |
| Memory Tamper Detection | iOS | Team | Runtime | Terminate for apps protecting payments, credentials, or licensed content. |
| Overlay Detection | Android | Team | Runtime | Message for payment, login, and approval screens. |
| Proxy Usage Detection | Android, iOS | Team | Runtime | Log or Message; coordinate with enterprise customers that use managed network inspection. |
| Root Detection | Android | Free | Runtime | Message or Terminate depending on device policy. |
| Screen Capture Detection | Android, iOS | Team | Runtime | Log first; use Android Screen Capture Protection when strict Android screenshot blocking is required. |
| Screen Mirroring Detection | Android, iOS | Team | Runtime | Message for workflows that cannot be displayed externally. |
| Screen Recording Detection | Android | Team | Runtime | Log first; use Android Screen Capture Protection when strict Android recording blocking is required. |
| Third-Party Keyboard Detection | Android, iOS | Team | Runtime | Message on credential, payment, and personal-data screens. |
| Time Tampering Detection | Android, iOS | Team | Runtime | Log first, then enforce where tokens, trials, or certificates depend on trusted time. |
| Unknown Sources Detection | Android, iOS | Team | Runtime | Message or Terminate for official-store distribution policies. |
| USB Connection Detection | Android | Team | Runtime | Log for most apps; Message or Terminate for managed-device environments. |
| Virtual App Detection | Android | Team | Runtime | Log first, then enforce for anti-abuse and high-risk apps. |
| VPN Detection | Android, iOS | Team | Runtime | Log or Message; enforce only where policy clearly disallows VPN use. |
Response Actions
| Action | Customer-facing behavior | Best use |
|---|---|---|
| Log | Records the event while allowing the app to continue. | Baseline rollout, false-positive measurement, and silent monitoring. |
| Message | Shows a configured alert explaining what the user should do next. | User-remediable states such as device lock, VPN, developer options, or unsupported keyboards. |
| Redirect | Sends the user to a configured support, policy, or update URL. | Compliance pages, upgrade flows, device policy pages, and help-center guidance. |
| Terminate | Closes the app after the detection fires. | High-confidence threats such as repackaging, debugging, runtime hooks, or prohibited device states. |
Recommended Detection Baselines
| App profile | Suggested baseline |
|---|---|
| Consumer app with moderate data sensitivity | Root or jailbreak detection, emulator detection, debuggable detection, screen capture detection, and proxy usage detection in Log mode. |
| Financial, healthcare, identity, or regulated app | Add debugger, hook, memory tamper, device lock, third-party keyboard, overlay, and app integrity controls. Use Message or Terminate once validated. |
| Enterprise-managed app | Add developer options, USB connection, VPN, unknown sources, and device lock controls according to your device policy. |
| Fraud-sensitive app | Add app cloning, virtual app, location spoofing, time tampering, emulator, and unknown sources controls. |
Rollout Guidance
- Enable candidate detections in Development or Staging with Log responses.
- Test on physical devices, managed devices, beta builds, older OS versions, and common customer device profiles.
- Review events in the security dashboard and device logs before changing response actions.
- Use Message for states a legitimate user can fix, such as enabling a lock screen or disabling a VPN.
- Use Terminate only for high-confidence threats where continuing would create unacceptable risk.
- Document customer support guidance before enforcing controls that may affect legitimate users.
Response Selection Checklist
| Question | Response guidance |
|---|---|
| Could a legitimate user fix this condition? | Prefer Message or Redirect with clear remediation. |
| Is the signal noisy during QA or pilot rollout? | Keep Log until false-positive behavior is understood. |
| Does continued app use create unacceptable risk? | Consider Terminate after validation and support review. |
| Does the condition affect only sensitive screens? | Pair broad logging with targeted prevention or product-level handling where appropriate. |
Detection And Prevention Together
Detection controls tell you that a condition exists. Prevention controls actively block or harden the behavior. For sensitive workflows, use both where appropriate.
| Risk | Detection control | Prevention or hardening pair |
|---|---|---|
| Screenshots or visual disclosure | Screen Capture Detection | Android Screen Capture Protection, or Screenshot Prevention for iOS screens |
| Screen recording | Screen Recording Detection | Android Screen Capture Protection, or Screen Recording Prevention for iOS screens |
| Network interception | Proxy Usage Detection | Certificate Pinning and TLS 1.3 Only |
| Runtime analysis | Debuggable Detection, Debugger Detection, Hook Detection, Hooking Detection | Set Debuggable to False and Code Obfuscation |
| Sensitive input leakage | Third-Party Keyboard Detection | Clipboard Protection, Keyboard Cache Prevention, and Autofill Suggestion Prevention |