https://github.com/okhsunrog/vpnhide/compare/v0.5.3...v0.6.0/

Hide an active Android VPN connection from selected apps. Why VPN Hide over alternatives? Existing modules like NoVPNDetect and NoVPNDetect Enhanced only cover Java API detection and hook inside the target app's process via Xposed. This has two critical problems: 1. Invisible to anti-tamper? — any app with memory injection checks detects the Xposed hooks and refuses to work. The NoVPNDetect Enhanced author explicitly states: "The module will not work if the target app has LSPosed protection or memory injection checks. For example, MirPay, T-Bank." 2. No native coverage — apps using C/C++ code, cross-platform frameworks (Flutter, React Native), or direct syscalls can detect VPN through ioctl, getifaddrs, netlink sockets, and /proc/net/*. These vectors are completely missed by Java-only hooks. VPN Hide solves both problems with a two-layer architecture: Layer 1 — Java API (LSPosed module): hooks system_server, not the target app. NetworkCapabilities, NetworkInfo, and LinkProperties are filtered at the Binder level before data reaches the app's process. The app receives clean data over IPC — no injection into its process, nothing for anti-tamper to detect. Layer 2 — Native (kmod or Zygisk): covers every native detection path: - kmod (recommended) — kernel-level kretprobe hooks. Filters ioctl (SIOCGIFFLAGS, SIOCGIFNAME, SIOCGIFCONF), getifaddrs/netlink dumps (RTM_GETLINK, RTM_GETADDR), and /proc/net/* reads — all before the syscall returns to userspace. Zero in-process footprint. No library injection. Nothing to detect. - Zygisk (alternative) — inline-hooks libc.so inside the app process. Same native coverage as kmod but runs in-process, so it's theoretically detectable by advanced anti-tamper. Use this if your kernel isn't supported by kmod. The target app's process is completely untouched (with kmod + LSPosed) — no Xposed, no inline hooks, no modified memory regions. This makes VPN Hide work with MirPay, T-Bank, Alfa-Bank and other banking/government apps that actively detect and block Xposed-based modules. Which modules do I need? You always need the VPN Hide app (the main APK) plus one native module. The app's Dashboard will detect your device and recommend the right one: - kmod (recommended) — fully out-of-process, invisible to anti-tamper. Requires a supported GKI kernel. - Zygisk — use this if your kernel isn't supported by kmod. See Install for step-by-step instructions. Install Download the latest release. Step 1 — VPN Hide app + LSPosed 1. Install the VPN Hide APK as a regular app. 2. In LSPosed manager, enable the VPN Hide module and add System Framework to its scope. 3. Reboot (required — LSPosed hooks are injected into system_server at boot, so the module must be active before system_server starts). 4. Open the VPN Hide app and grant it root access (Magisk will prompt automatically; on KernelSU-Next, grant permission manually in the manager). Step 2 — Native module Open the VPN Hide app. The Dashboard tab will detect your device and kernel, and tell you exactly which native module to install: - If your kernel is supported, it will recommend a specific kmod file (e.g. vpnhide-kmod-android14-6.1.zip). - If not, it will recommend the Zygisk module (vpnhide-zygisk.zip). Install the recommended module: - kmod: via KernelSU-Next manager -> Modules -> Install from storage. - Zygisk: via KernelSU-Next or Magisk manager -> Modules. Reboot after installing the native module. Step 3 — Select target apps Open the VPN Hide app -> Apps tab. Use the L / K / Z toggles to control which protection layers apply to each app (LSPosed, Kernel module, Zygisk), or tap the row to toggle all layers at once. Tap Save. After changing targets, force-stop and restart the affected apps — hooks take effect on the next app launch. Note: some apps detect Zygisk hooks. For those apps, keep Z disabled and rely on kmod + LSPosed. Verify The app has a built-in diagnostics system that catches most setup problems automatically. Dashboard (runs on every app launch): - Module status for all three layers (installed, active, version, target count). - LSPosed configuration validation — reads the LSPosed database to verify that VPN Hide is enabled, System Framework is in scope, and no extra apps are scoped (a common misconfiguration). - Version mismatch detection — compares installed module versions with the running app version and tells you exactly what to update. - Native module recommendation — detects your kernel and maps it to the right kmod artifact, or recommends Zygisk if unsupported. - Live protection check (when VPN is active) — runs 16 native checks and 5 Java API checks to verify that VPN is actually hidden. Any issues found are shown as actionable cards with specific instructions. Diagnostics tab — detailed per-check breakdown with individual PASS/FAIL results for all 26 detection vectors. Useful for troubleshooting when the Dashboard shows partial protection. Split tunneling Works correctly with split-tunnel VPN configurations. Only the apps in the target list are affected. Detection apps that compare device-reported public IP against external checkers require split tunneling — the detection app's traffic must exit through the carrier, not the tunnel. Threat model VPN Hide hides an active VPN from specific apps. It is NOT designed for: - Hiding root or custom ROM presence. - Bypassing Play Integrity. - Fooling server-side detection (DNS leakage, IP blocklists, latency/TLS fingerprinting). Known limitations - kmod requires a GKI kernel with CONFIG_KPROBES=y (standard on Android 12+ devices). - LSPosed requires LSPosed, LSPosed-Next, or Vector. - Zygisk is arm64 only. - Direct svc #0 syscalls bypass Zygisk's libc hooks — that's what kmod is for. - Server-side detection is unfixable client-side — use split tunneling. License Copyright © 2025 okhsunrog MIT License