Skip to content

Fl0rk/ScreenProtectorKit-Spoof

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
img
img
 
 
.gitignore
.gitignore
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
ScreenProtectorKit-Spoof.plist
ScreenProtectorKit-Spoof.plist
 
 
Tweak.x
Tweak.x
 
 
control
control
 
 

Repository files navigation

ScreenProtectorKit Spoof

A Logos tweak to spoof screenshot and screen recording protections in ScreenProtectorKit.

Analysis

To understand how the library blocks screen capture, inspect the compiled Mach-O binary with a disassembler. Then search for the ScreenProtectorKit namespace to identify its core API.

image0

By looking at related iOS system APIs, we can identify three defense layers used by the library:

1. Visual Layer (UITextField)

The library uses the common setSecureTextEntry: trick to hide the app UI during screenshots or screen recording.

image1

2. Active Check Layer (UIScreen)

The screenIsRecording() function checks [UIScreen mainScreen].isCaptured directly to detect whether the screen is being recorded.

image2

3. Event Detection Layer (NSNotificationCenter)

The screenshotObserver(using:) and screenRecordObserver(using:) functions show that the library listens for screenshot and screen recording notifications through NSNotificationCenter and forwards them to the Flutter layer.

image3

The Spoof

To disable these protections, all three layers need to be handled separately. Hooking the usual addObserver:selector: is not enough here, because the library uses block-based observers instead.

Below is a breakdown of the Logos tweak (Tweak.x) and how it targets each layer.

1. Visual Layer (UITextField)

The library hides the app UI behind a secure text field so iOS will black out the screen. We spoof this by forcing setSecureTextEntry: to always use NO. We also spoof the getter in case the app checks the UI state.

%hook UITextField

- (void)setSecureTextEntry:(BOOL)secure {
    %orig(NO);
}

- (BOOL)isSecureTextEntry {
    return NO;
}

%end

2. Active Check Layer (UIScreen)

The app also checks whether screen recording is active. We spoof isCaptured to always return NO, so the app always thinks screen recording is inactive.

%hook UIScreen

- (BOOL)isCaptured {
    return NO;
}

%end

3. Event Detection Layer (NSNotificationCenter)

The library reports screenshot and screen recording events to the Flutter layer. We spoof this by returning nil during observer registration, so the event handler cannot run.

%hook NSNotificationCenter

- (id)addObserverForName:(NSNotificationName)name object:(id)obj queue:(NSOperationQueue *)queue usingBlock:(void (^)(NSNotification *note))block {
    
    if ([name isEqualToString:UIApplicationUserDidTakeScreenshotNotification] ||
        [name isEqualToString:UIScreenCapturedDidChangeNotification]) {
        return nil; 
    }
    
    return %orig;
}

%end

Example with CLICK-Ed

Spoof successful, with screenshots and screen recording working normally and no black screen.

image4

Usage

Use Sideloadly to inject the dylib into the .ipa.

Disclaimer

This project is for educational and research purposes only.

About

Spoof screenshot and screen recording detection!

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

v0.0.1 Latest
Mar 25, 2026

Contributors

Languages