Magisk & LSPosed Modules

1. Magisk with Zygisk Enabled

Purpose: Zygisk is Magisk’s new method for injecting modules directly into Android’s Zygote process. It replaces older Riru-based injection methods.

Why it matters: Most LSPosed modules require Zygisk to hook app code at runtime.

Usage:

  • Open Magisk → Settings → Enable Zygisk.

  • Reboot.

  • Verify with adb shell su -c magisk --zygisk.

2. Shamiko

Type: Magisk Zygisk Module Purpose: Bypasses root detection by hiding the presence of root from apps. It works with Magisk’s DenyList (which must be disabled in “Enforce mode” for Shamiko to handle hiding).

Typical usage:

  • Install via Magisk Modules.

  • Disable “Enforce DenyList” in Magisk settings.

  • Configure hidden apps via Shamiko.

3. SSL Pinning Bypass – “Always Trust User Certificates”

Type: LSPosed Module Purpose: Forces apps to trust all user-installed certificates, bypassing certificate pinning and enabling HTTPS interception with tools like Burp Suite or Charles Proxy.

When to use:

  • You need to inspect HTTPS requests from apps that enforce their own CA store.

  • Combine with adb shell settings put global http_proxy ... or VPN-based interception.

4. Magisk Hide

Type: Magisk Feature (Legacy) Purpose: Old method for hiding root from apps. Mostly replaced by Shamiko, but still useful on older Android versions.

Usage tip: If using newer Magisk, this may not be available — Shamiko is the modern equivalent.

5. NoHello

Type: LSPosed Module Purpose: Blocks apps that require “developer hello” handshakes or unnecessary startup checks. (Niche, used in certain anti-debug/bypass workflows.)

6. Hide Debugging

Type: LSPosed Module Purpose: Prevents apps from detecting that a debugger is attached. Essential for dynamic analysis with Frida, Xposed, or JDWP without triggering anti-debug measures.

7. Hide My App List

Type: LSPosed Module Purpose: Hides installed apps from detection — useful when target apps scan for reverse engineering tools like Frida, Burp, or game cheats.

Usage for RASP bypass:

  • Add your target app to the module scope.

  • Configure it to hide “blacklisted” packages from the app’s view.

8. I Am Not Developer

Type: LSPosed Module Purpose: Bypasses developer mode detection by returning false for developer options flags. Useful for apps that refuse to run if developer mode is enabled.

Workflow Example

For a typical app with strong protections:

  1. Root the device with Magisk & enable Zygisk.

  2. Install Shamiko → hide root.

  3. Enable Hide My App List → hide tools.

  4. Enable Hide Debugging → attach debugger safely.

  5. Enable SSL Pinning Bypass → capture HTTPS traffic.

  6. Use I Am Not Developer → block dev mode detection.

Disclaimer

This guide is for security research, penetration testing, and educational use. Do not use these methods for malicious activity or without permission — doing so may violate laws and terms of service.

PreviousGenymotion - Proxying Android App Traffic Through Burp SuiteNextNetwork-Sec

Last updated

Was this helpful?