Guide for Android and iOS game security, reversing, and anti-cheat-adjacent platform research. Use this skill when working with APK or IPA analysis, IL2CPP mobile titles, Frida, Zygisk or Magisk, jailbreak or root detection bypass, Android kernel modules, emulator detection, or mobile anti-cheat systems.
This skill covers mobile security resources from the awesome-game-security collection, focusing on Android and iOS game security research, reverse engineering, and protection bypass techniques.
Cheat > MagiskCheat > XposedCheat > FridaCheat > Hook ART(android)Cheat > Hook syscall(android)Cheat > Android Terminal EmulatorCheat > Android File ExplorerCheat > Android Memory ExplorerCheat > Android Application CVECheat > Android Kernel CVECheat > Android Bootloader BypassCheat > IoT / Smart devicesCheat > Android ROMCheat > Android Device TreesCheat > Android Kernel SourceCheat > Android RootCheat > Android Kernel driver developmentCheat > Android Kernel ExplorerCheat > Android Kernel DriverCheat > Android Network ExplorerCheat > Android memory loadingCheat > IOS jailbreakCheat > IOS Memory ExplorerCheat > IOS File ExplorerCheat > IOS App PackagingCheat > Injection:AndroidCheat > Injection:IOSAnti Cheat > Detection:Android rootAnti Cheat > Detection:MagiskAnti Cheat > Detection:FridaSome Tricks > AndroidAndroid EmulatorIOS Emulator# Decompile APK
apktool d game.apk
# Analyze DEX files
jadx -d output game.apk
# Identify protection
apkid game.apk
1. Extract libil2cpp.so from APK
2. Use IL2CPP Dumper to generate headers
3. Analyze with IDA/Ghidra
4. Hook using Frida or native hooks
1. Identify target libraries (.so files)
2. Analyze with reverse engineering tools
3. Pattern scan for functions
4. Apply hooks/patches
// Via /proc filesystem
int fd = open("/proc/pid/mem", O_RDWR);
pread64(fd, buffer, size, address);
pwrite64(fd, buffer, size, address);
// Basic function hook
Interceptor.attach(Module.findExportByName("libgame.so", "function_name"), {
onEnter: function(args) {
console.log("Called with: " + args[0]);
},
onLeave: function(retval) {
retval.replace(0);
}
});
- Kernel-based root solution, works at kernel level (no /system modification)
- Module system compatible with Magisk modules via KSU module API
- Stealth advantage: no su binary on filesystem, harder to detect
- Requires custom kernel or GKI (Generic Kernel Image) patching
- APatch: newer alternative, patches boot.img with KernelPatch
- Patches Android kernel at boot via KernelPatch
- No need for custom kernel source (works on stock GKI kernels)
- Module support similar to Magisk/KernelSU
- Root process runs within kernel context
| Solution | Level | Stealth | GKI Support | Module System |
|-----------|-------------|---------|-------------|---------------|
| Magisk | User/Init | Medium | Yes | Mature |
| KernelSU | Kernel | High | Yes | Growing |
| APatch | Kernel | High | Yes | Growing |
- /system/bin/su existence
- /system/xbin/su existence
- Build.TAGS contains "test-keys"
- ro.build.selinux property
- Magisk files/folders
- Package manager checks
// Zygisk module structure
class Module : public zygisk::ModuleBase {
void onLoad(zygisk::Api *api, JNIEnv *env) override {
this->api = api;
this->env = env;
}
void preAppSpecialize(zygisk::AppSpecializeArgs *args) override {
// Before app loads
}
void postAppSpecialize(const zygisk::AppSpecializeArgs *args) override {
// After app loads - inject here
}
};
// Using Logos (Theos)
%hook TargetClass
- (int)targetMethod:(int)arg {
int result = %orig;
return result * 2; // Modify return
}
%end
1. Locate libil2cpp.so (Android) or UnityFramework (iOS)
2. Find global-metadata.dat
3. Run IL2CPPDumper
4. Generate SDK/headers
5. Hook target functions
1. Extract managed DLLs
2. Decompile with dnSpy/ILSpy
3. Modify and repackage
4. Or hook at runtime
- Currency/coins values
- Player stats (health, damage)
- Inventory manipulation
- Premium unlocks
- Ad removal
1. Identify UE version
2. Dump SDK using appropriate tool
3. Locate GObjects, GNames
4. Find target functionality
5. Apply memory patches or hooks
// Native surface overlay
ANativeWindow* window = ANativeWindow_fromSurface(env, surface);
// Render using OpenGL ES or Vulkan
// Frida universal SSL bypass
Java.perform(function() {
var TrustManager = Java.registerClass({
implements: [X509TrustManager],
methods: {
checkClientTrusted: function() {},
checkServerTrusted: function() {},
getAcceptedIssuers: function() { return []; }
}
});
// Install custom TrustManager
});
- Root/jailbreak detection
- Frida detection
- Emulator detection
- Integrity checks
- Debugger detection
- Hook detection
1. Static analysis of detection code
2. Hook detection functions
3. Hide injection footprint
4. Timing attack consideration
5. Clean environment emulation
- stackplz: eBPF-based stack trace tool for Android
- eDBG: eBPF-powered debugger for Android processes
- tracee: Aqua Security's eBPF runtime security tool (Linux/Android)
- eBPF hooking: attach to tracepoints, kprobes, uprobes without kernel module
- No kernel module compilation required (runs in eBPF VM)
- Works on stock GKI kernels with BTF support
- Lower detection surface than kernel driver injection
- CO-RE (Compile Once, Run Everywhere) portability
- Safe: eBPF verifier prevents kernel crashes
- Loadable kernel module (LKM) for older kernels
- GKI-compatible modules via vendor_dlkm partition
- Kernel build scripts: build from AOSP source or vendor BSP
- Device Trees: hardware description for board-specific drivers
- Process memory access: /dev/custom_mem → read/write target process
- Syscall hooking: __NR_read, __NR_write interception
- Binder hooking: intercept IPC transactions
- GPU memory inspection: access GPU buffers directly
- AOSP Common Kernel (ACK): google/common branch
- GKI: Generic Kernel Image for Android 12+
- Vendor-specific: Qualcomm (CodeAurora), MediaTek, Samsung Exynos
- Build system: build/build.sh or Bazel-based (newer)
- HarmonyOS (Huawei): abc file format for compiled apps
- arkdecompiler: decompile HarmonyOS abc bytecode
- OpenHarmony: open-source base, growing ecosystem
- Security model differs from Android: distributed capabilities
- Reverse engineering challenges: new bytecode VM, different IPC
- WebView RCE (CVE-based exploit chains)
- Intent redirection / deep link abuse
- Content provider data leaks
- Serialization vulnerabilities (Parcel, Bundle)
- Use-after-free in Binder driver
- Privilege escalation via ion/DMA-BUF
- GPU driver vulnerabilities (Adreno, Mali, PowerVR)
- SELinux policy bypass chains
- Reference: Android Security Bulletins (monthly)
- Build.FINGERPRINT checks
- Hardware sensor verification
- File system characteristics
- Performance timing
The README contains:
Important: This skill provides conceptual guidance and overview information. For detailed information use the following sources:
Fetch the main README for the full curated list of repositories, tools, and descriptions: