Trace Detection

Trace detection identifies when tracing or instrumentation tools are monitoring your app's execution, so you can respond before they map its behavior.

Start free

See it in ByteHide Shield

TL;DR

Tracing and instrumentation tools let an attacker watch an application's execution in detail: which functions run, in what order, with what data. Trace detection is a runtime self-protection that identifies when tracing is active, so your app can respond instead of being silently observed.

Definition

What is trace detection?

Tracing is a technique that records an application's execution as it runs: the sequence of function calls, their arguments, their results. Instrumentation tools attach to a process and capture this detailed picture of behavior.

For an attacker, tracing is a way to understand an application without reading its code. By watching what runs and when, they can map logic, find sensitive operations, and identify where to focus an attack.

Trace detection is a runtime, RASP-style protection that identifies when tracing or instrumentation tools are observing your application. Once detected, the app can respond rather than continue under observation.

Mechanism

How trace detection works

Trace detection looks for the signs of tracing and instrumentation:

Tracer detection. The application checks whether a tracing tool is attached to its process.
Instrumentation detection. It looks for the instrumentation frameworks used to monitor execution.
Timing and behavioral checks. Tracing changes execution characteristics, and the application watches for those signs.

When tracing is detected, the response is configurable: terminate, degrade, or alert your backend.

Example

Trace detection example

Your code ships unchanged. What a tracer reads while it runs is what changes when trace detection is enabled.

Without trace detection

An attacker attaches a tracing tool and records every function call and value as your app runs, mapping its behavior without reading a line of code.

With trace detection

The same attempt is detected, the app recognizes it is being traced, and it responds before its behavior is fully mapped.

Without trace detectionVaultOpen.swift

func open(_ vault: Vault, with key: Key) -> Bool {
    return vault.unlock(key)
}

With trace detectionVaultOpen.swift

func open(_ vault: Vault, with key: Key) -> Bool {
    return vault.unlock(key)
}

Use cases

When to use trace detection

Trace detection matters most when your application:

Has sensitive logic an attacker could map by observing execution.
Handles valuable operations worth hiding from runtime observation.
Must resist dynamic analysis, not only static analysis.

It pairs with anti-debugging and hook detection as a runtime hardening layer: anti-debugging stops stepping through code, hook detection stops interception, trace detection stops silent observation.

Platform availability

Trace detection and the iOS platform

iOS
Detection of tracing and instrumentation tools. On Android, equivalent dynamic analysis is covered by anti-debug, which detects instrumentation frameworks.

Frequently asked questions

What is trace detection?

Trace detection is a runtime self-protection that identifies when tracing or instrumentation tools are monitoring an application's execution, so the app can respond instead of being silently observed.

Does trace detection affect performance?

The runtime cost is minimal. Trace detection checks are lightweight and run periodically.

How is tracing different from debugging?

Debugging pauses execution to inspect it step by step. Tracing records execution as it runs without stopping it. Trace detection and anti-debugging cover these two different techniques.

Can trace detection be bypassed?

Advanced attackers can attempt to evade it, which is why it combines multiple signals and is layered with anti-debugging and hook detection.

Which platforms support trace detection?

ByteHide Shield provides trace detection for iOS. On Android, instrumentation is detected as part of anti-debug.