Skip to content

Threat Detection

Overview

Threat Detection (Runtime Security Monitoring and Tamper Detection) is UnoLock's comprehensive browser runtime security service that continuously audits your environment to detect and block malicious behavior before it can compromise your data. By combining API-blocking, event-listener auditing, DOM mutation inspection, overlay detection, and extension probing—all running client-side in Angular—it ensures that any injected code, unauthorized extensions, or clickjacking attempts are caught and neutralized in real time.

How It Works

  • API Access Blocking: Overrides localStorage/sessionStorage methods and indexedDB.open to throw on any attempt to read or write, logging and flagging each unauthorized call immediately.
  • WebSocket Block: Replaces the global WebSocket constructor so any socket connection attempt is halted and reported, preventing data exfiltration channels.
  • Event Listener Auditing: After Angular stabilizes, intercepts addEventListener to count sensitive handlers (click, input, keydown, etc.) and detect listeners injected by browser extensions via stack-trace analysis, triggering alerts when configurable thresholds are exceeded.
  • UI Overlay & Clickjacking Checks: Every few seconds (outside Angular's zone), scans for full-screen, low-opacity overlays with high z-index, flagging or removing elements that could hijack user clicks.
  • API Tampering Detection: Compares window.fetch and other core APIs against snapshots taken at initialization; any override by third-party code is immediately flagged.
  • DOM Mutation Inspection: Uses a debounced MutationObserver to watch for newly added script or iframe nodes, stripping unauthorized elements (those without the data-unolock attribute or not from location.origin).
  • Extension Presence Probing: Loads hidden manifests for known banned extensions and alerts immediately if any are detected in the browser environment.

Security Implications

  • Proactive Tamper Detection: Identifies and blocks meddling scripts and API overrides before they can execute malicious operations.
  • Clickjacking Protection: Stops hidden overlays and rogue iframes that could hijack user interactions or steal credentials.
  • Extension Threat Awareness: Detects malicious or unapproved extensions at runtime, warning users to remove them before continuing.
  • Real-Time Client-Side Alerts: Escalating alerts inform users of repeated or severe anomalies, guiding them to switch to a clean profile or incognito mode.
  • Zero-Trust Browser Environment: By enforcing strict controls on every aspect of the browser API, UnoLock maintains a hardened, trust-no-one runtime posture.

Use Cases

  • Secure Banking Operations: Users accessing financial accounts benefit from real-time detection of keyloggers, screen capture attempts, and malicious browser extensions.
  • Cryptocurrency Management: Protection against clipboard hijacking and transaction manipulation when managing digital assets within the vault.
  • Corporate Data Protection: Enterprise users gain defense against targeted attacks attempting to steal sensitive corporate information through browser exploits.
  • High-Risk Environments: Journalists and activists operating in hostile digital environments receive alerts about surveillance extensions and tracking attempts.

Why It Matters

Threat Detection provides a best-effort, client-side defense layer that enforces strict API controls, audits runtime behavior, and neutralizes unauthorized code or extensions—all in real time. While this zero-trust approach significantly raises the bar against browser-based threats, no client-side guard can guarantee 100% protection. Users must also exercise caution by avoiding untrusted browser extensions and keeping their environment secure. Together, UnoLock's monitoring features and responsible user practices maintain the integrity of your data against evolving risks.

FAQs

Can Threat Detection prevent all browser-based attacks?

While Threat Detection provides comprehensive runtime monitoring and blocking capabilities, no client-side solution can guarantee 100% protection. It significantly raises the security bar but should be combined with safe browsing practices and avoiding untrusted extensions.

Does Threat Detection slow down my browser?

The monitoring service is optimized to run efficiently outside Angular's change detection zone, using debounced observers and selective API hooks to minimize performance impact while maintaining comprehensive protection.

What happens when a threat is detected?

Depending on the severity, the system will either block the action silently, display a warning notification, or in severe cases, recommend switching to a clean browser profile or incognito mode to ensure continued security.

Compliance & Privacy Regulations

  • Client-Side Only Operation: All threat detection occurs within your browser, with no external reporting or data collection, maintaining complete privacy compliance.
  • GDPR & Privacy Compliance: Threat detection data never leaves your device, ensuring compliance with data protection regulations.

Integration with Other Features

  • Post-Quantum Encryption: Works in tandem with encryption layers to ensure that even if threats bypass detection, encrypted data remains protected.
  • FIDO2 Authentication: Complements hardware-based authentication by ensuring the browser environment is secure before authentication ceremonies.
  • Client Application Isolation: Reinforces browser sandbox isolation by actively monitoring for sandbox escape attempts.

Back to Features Overview