Abstract dark blue gradient background with soft light effects.

Advanced Mobile Security Research

The labs study modern mobile operating systems, analyze advanced techniques, and develop methods for understanding system behavior at the lowest levels of modern platforms.

Some of this research powers new capabilities added to DFFIND.

Some is shared through public blog posts and at conferences to advance understanding of how modern mobile systems behave.

Research Areas

01

Operating system internals

02

Kernel & system execution flows

03

Vulnerability classes and exploitation techniques

04

Reverse engineering of APTs & mobile malware

05

System-level threat detection methods

Xn00p

Object-Aware Kernel Introspection

Black square with a smaller blue square and three black pixel blocks on its bottom left corner.

Xn00p is a live kernel memory inspection and debugging toolkit developed by DFF Co-Founder & CTO Jonathan Levin, introduced in the *OS Internals series of books.

Black square with a smaller blue square and three black pixel blocks on its bottom left corner.

It enables direct, object-aware introspection of kernel memory on live systems or from kernel images, allowing researchers to traverse kernel structures and analyze system behavior at the level where advanced techniques execute.

Architectural design illustrating the Golden Ratio spiral overlaying a building interior

Xn00p is used within DFF Labs for operating system research, reverse engineering, and development of mobile threat detection capabilities.

Eyeglasses focusing on a laptop screen displaying colorful programming code and software icons.
Platforms supported macOS, iOS, Linux and access method by platform for kernel read primitives or device paths.
Eyeglasses focusing on a laptop screen displaying colorful programming code and software icons.

Xn00p Capabilities

Kernel inspection

Inspect kernel objects — tasks, ports, processes, threads — with human-readable output. Traverse complex structures with object-aware analysis.

Memory interpretation

Resolve pointers, map memory to kernel zones, and interpret raw memory as structured objects.

Kernel integrity analysis

Detect kernel patching by comparing runtime memory to expected structures and file-backed images.

Kernel modification

Apply precise kernel patches where write primitives are available, enabling controlled experimentation at runtime.

Snapshot and offline analysis

Dump live kernel memory to a core file and analyze existing kernel dumps (e.g. kdumpd).

Command-line & automation

Operate interactively or via scripts, with support for plugins and custom workflows.
Dark terminal window with a JavaScript code snippet for a while loop that logs numbers 1 to 1000.

Xn00p Licensing

Xn00pis available under paid license to qualified researchers and organizations.
For licensing inquiries:
labs@df-f.com
Black pixelated pattern on a white background with scattered squares.

Assistance Requests

Areas may include:
Advanced mobile malware
Unusual mobile system behavior
Operating System  anomalies
Compromised Mobile Devices
Exploitation Traces

DFF Labs may assist targets of APT attacks in investigating unusual mobile system behavior.

Collaboration is limited to a small number of cases, and we do not guarantee analysis.

Thank you!

Your response has been submitted successfully.
Oops! Something went wrong while submitting the form.
Abstract dark background with smooth gradient shades of blue and black.

Submit Artifacts for Review

Examples of materials that may be submitted include:
  • Malware samples
  • Suspicious application packages
  • iOS sysdiagnose archives
  • Android bug report archives
  • Crash logs
  • Forensic artifacts or diagnostic datasets
Please note:
  • Submission does not guarantee analysis or response
  • Materials may be used for research purposes
  • Submit only materials you are legally authorized to share
  • Sensitive personal data should be removed whenever possible
Arrange Submission
Dataflow Forensics reserves the right to decline or ignore submissions at its sole discretion.*

Responsible Use

The research conducted by DFF Labs involves advanced system capabilities and security-sensitive technologies.

Submissions and collaboration must comply with applicable laws and regulations. Do not submit unauthorized data, personal information obtained without permission, or classified material.

Dataflow Forensics reserves the right to decline requests or submissions at its sole discretion.

Additional terms and conditions apply.

DFFenders Blog

All Blog Posts

Darwin: libsystem_malloc .dylib and xzone

Darwin’s new allocator, Xzone, is now part of libmalloc and in open source. In this post, we are providing an analysis of Xzone that is an expanded version of an excerpt from Jonathan Levin’s book “Disarming Code”.

Jonathan Levin
May 25, 2026
Letters 'AI' in black on a white background in a bold, modern font.

SPTM - The Last Bits

The next iteration of DFF’s SPTM deep dive. This post aims to broaden the discussion and fill in the full picture of SPTM.

DFFenders
Nov 19, 2025
Letters 'AI' in black on a white background in a bold, modern font.

Tracing Back to the Source | SPTM Round 3

Our goal at DFF is to reveal any threats on mobile devices, and that requires us to keep up to date with every single version of Android and iOS, including the beta and "Developer Preview" phases. Often, these are the under-the-hood, undocumented changes which have the real impact on operating system security.

DFFenders
Feb 12, 2025
Letters 'AI' in black on a white background in a bold, modern font.

Assume compromise Prove otherwise

Contact us
CONTACT
Contact Form

Powered by zero-day research. Built to detect what nothing else can. DFFIND detects targeted mobile intrusions on iOS and Android devices at scale by going beyond the sandbox to expose threats that were never meant to be found.

PRIVACY NOTICE
TERMS OF USE
Dataflow Forensics © 2026
Black background with a blue and white glowing abstract shape on the top right.Blurred blue lights fading into black background, abstract glow effect.