Swizzling Detection

MAD monitors the iOS runtime to identify attempts at method swizzling, an Objective-C feature that allows replacing method implementations at runtime. Although legitimate in some development contexts, this technique can be exploited by attackers to alter critical application behaviors, including security mechanisms, without directly modifying the binary.

This type of attack is frequently observed in jailbreak or malicious instrumentation scenarios, allowing interception of API calls, diversion of validation flows, and silent manipulation of application logic, with potential exposure of sensitive data.

Technical Mechanism: MAD checks the integrity of the runtime for sensitive classes and methods, identifying anomalous changes in how methods are resolved and executed. Upon detecting that a legitimate implementation has been replaced or redirected in an unauthorized manner, MAD classifies the environment as compromised and triggers the configured protection policies and logs the event in the Command Center, ensuring that the application's original and legitimate behavior is not tampered with.