Android Hidden Api Bypass

Bypass restrictions on non-SDK interfaces.

Why HiddenApiBypass?

• Pure Java: no native code used.
• Reliable: does not rely on specific behaviors, so it will not be blocked like meta-reflection or dexfile.
• Stable: does not rely on internal ART structures on Android 10+. Unsafe and setHiddenApiExemptions are stable APIs.

And LSPass?

• Fast: no I/O, initializing faster than HiddenApiBypass.
• Safe: no Unsafe.
• Unreliable: can be blocked as easily as meta-reflection.

How it works

HiddenApiBypass: Unsafe

LSPass: Property.of()

Integration

Gradle:

repositories {
    mavenCentral()
}
dependencies {
    implementation 'org.lsposed.hiddenapibypass:hiddenapibypass:+'
}

Usage

This library has two variants of bypassing, they have the same API. When initializing, LSPass is faster than HiddenApiBypass, but LSPass maybe blocked in future Android releases. Replace HiddenApiBypass with LSPass if you do not want to use Unsafe.

1. Invoke a restricted method:

   HiddenApiBypass.invoke(ApplicationInfo.class, new ApplicationInfo(), "usesNonSdkApi"/*, args*/)
2. Invoke restricted constructor:

   Object instance = HiddenApiBypass.newInstance(Class.forName("android.app.IActivityManager$Default")/*, args*/);
3. Get all methods including restricted ones from a class:

   var allMethods = HiddenApiBypass.getDeclaredMethods(ApplicationInfo.class);
   ((Method).stream(allMethods).filter(e -> e.getName().equals("usesNonSdkApi")).findFirst().get()).invoke(new ApplicationInfo());
4. Get all non-static fields including restricted ones from a class:

   var allInstanceFields = HiddenApiBypass.getInstanceFields(ApplicationInfo.class);
   ((Method).stream(allInstanceFields).filter(e -> e.getName().equals("longVersionCode")).findFirst().get()).get(new ApplicationInfo());
5. Get all static fields including restricted ones from a class:

   var allStaticFields = HiddenApiBypass.getStaticFields(ApplicationInfo.class);
   ((Method).stream(allStaticFields).filter(e -> e.getName().equals("HIDDEN_API_ENFORCEMENT_DEFAULT")).findFirst().get()).get(null);
6. Get specific class method or class constructor

   var ctor = HiddenApiBypass.getDeclaredConstructor(ClipDrawable.class /*, args */);
   var method = HiddenApiBypass.getDeclaredMethod(ApplicationInfo.class, "getHiddenApiEnforcementPolicy" /*, args */);
7. Add a class to exemption list:

   HiddenApiBypass.addHiddenApiExemptions(
       "Landroid/content/pm/ApplicationInfo;", // one specific class
       "Ldalvik/system" // all classes in packages dalvik.system
       "Lx" // all classes whose full name is started with x
   );
   if you are going to add all classes to exemption list, just leave an empty prefix:

   HiddenApiBypass.addHiddenApiExemptions("");

License

Copyright 2021-2025 LSPosed

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.