KeyChain Modification Detection

MAD monitors the integrity of the iOS Keychain to identify suspicious changes in credentials, cryptographic keys and authentication factors associated with the application. The Keychain is the operating system's secure mechanism for storing sensitive information and is widely used to protect passwords, session tokens and cryptographic secrets.

In compromised environments, especially on jailbroken devices, data stored in the Keychain can be targeted for extraction or improper manipulation. This protection allows detection of, for example, unauthorized changes to stored passwords, manipulation of session tokens or attempts to weaken security mechanisms tied to the application, such as Touch ID or Face ID authentication.

Technical Mechanism: MAD continuously verifies the integrity of critical items stored in the Keychain and monitors whether their security attributes and access controls remain consistent over time. The solution identifies modifications inconsistent with the legitimate behavior of the application, such as changes to access policies or degradation of the expected protection level. Upon detecting this scenario, the RASP classifies the environment as compromised and triggers configured security policies, such as crashing the application, in addition to immediately notifying the Command Center, ensuring that only legitimate, untampered credentials are used.