DEV.co
Open-Source Security · ChiChou

grapefruit

Grapefruit is an open-source mobile security testing toolkit for iOS and Android that uses Frida to inspect, hook, and modify running apps through a web interface. It enables security researchers and testers to intercept function calls, monitor APIs, browse files and databases, and analyze app behavior at runtime.

Source: GitHub — github.com/ChiChou/grapefruit
1.3k
GitHub stars
107
Forks
TypeScript
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
RepositoryChiChou/grapefruit
OwnerChiChou
Primary languageTypeScript
LicenseMIT — OSI-approved
Stars1.3k
Forks107
Open issues12
Latest releasev1.1.2 (2026-03-30)
Last updated2026-06-17
Sourcehttps://github.com/ChiChou/grapefruit

What grapefruit is

Built in TypeScript with a Node.js/Bun runtime, Grapefruit wraps the Frida instrumentation framework to provide structured method hooking, cryptographic API interception, memory scanning, and platform-specific features (Keychain/SQLite on iOS, JNI/Manifest on Android). It exposes functionality via a web UI and RPC interface, requiring Frida server already deployed on the target device.

Quickstart

Get the grapefruit source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/ChiChou/grapefruit.gitcd grapefruit# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Authorized Mobile App Security Assessment

Conduct runtime analysis of iOS and Android applications during authorized penetration testing or security audits. Hook native/managed functions, intercept crypto operations, and monitor sensitive API access to identify vulnerabilities and data leakage.

Runtime Behavior Analysis and Reverse Engineering

Inspect app structure (manifests, resources, symbols), examine SQLite databases, browse keychains, and trace method calls to understand app behavior without static analysis alone. Useful for threat modeling and identifying potential attack surfaces.

Privacy and Data Flow Monitoring

Monitor and log access to sensitive APIs (camera, microphone, location, sensors) and observe how data is encrypted, stored, and transmitted. Helpful for privacy compliance audits and identifying unintended data access patterns.

Implementation considerations

  • Frida server must be pre-installed and running on the target iOS or Android device before Grapefruit can attach; setup is a separate, non-trivial step per the official Frida docs.
  • Requires Node.js 22.18+ (or Bun for development builds). Prebuilt binaries are available for macOS, Linux, and Windows but are Bun-based; npm package is Node.js-based.
  • Supports both Frida 16 and 17 via CLI flag; default is Frida 17. Verify your Frida server version matches the Grapefruit configuration to avoid compatibility issues.
  • Web UI binds to 127.0.0.1:31337 by default. For remote or multi-user access, mandatory to place behind authenticated reverse proxy (e.g., Caddy); direct network exposure is insecure.
  • Optional LLM integration (Anthropic, OpenAI, Gemini, OpenRouter) available for hook script generation; requires API key if enabled. Does not require it for core functionality.

When to avoid it — and what to weigh

  • No Built-in RASP Bypass Capabilities — If the target app uses modern runtime protection (Frida detection, certificate pinning, jailbreak detection), Grapefruit does not include bypasses. You must use external tools or custom Frida scripts first, adding complexity to assessments.
  • Unauthenticated Local Access Only — Grapefruit binds to 127.0.0.1 by default with no authentication. Avoid deploying it on shared machines or networks without reverse proxy protection; any local process can access all functionality.
  • Production or Non-Authorized Use — This is an instrumentation tool designed for authorized testing only. Using it against apps or devices without explicit permission violates terms of service and may break laws. Not suitable for unauthorized mobile surveillance or app tampering.
  • Windows/Linux Native Development Debugging — Grapefruit is mobile-specific. If you need to debug desktop or backend applications, or if you require integrated IDE debugging (not web-based inspection), other tools are more appropriate.

License & commercial use

Licensed under MIT (MIT License). This is a permissive OSI-approved license allowing modification, distribution, and private use with minimal restrictions (attribution and license notice required).

MIT license permits commercial use of Grapefruit itself. However, using it to test third-party apps or devices without authorization may violate app terms of service, device vendor policies, or local laws. Ensure you have explicit permission from app owners and device holders before conducting security assessments. No warranty or support is provided; production use requires your own security review and incident response plan.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Grapefruit itself does not validate the security posture of the apps it inspects. No built-in authentication for the web UI; relies on localhost binding and reverse proxy (if remote). Frida attachment requires elevated privileges on the device (jailbreak/root). No exploit details are provided in documentation; it is a testing framework, not a vulnerability scanner. Use only in controlled environments with proper access controls and incident response procedures. Ensure informed consent from device owners.

Alternatives to consider

Frida + Custom Scripts

Grapefruit is built on Frida; if you prefer CLI-only or custom instrumentation, use Frida directly. More flexible but requires manual script writing and less polished UI.

Burp Suite Mobile Assistant / Charles Proxy

Focused on network traffic capture and MITM testing rather than runtime hooking and memory inspection. Better for API and web service testing; weaker for native code analysis.

Objection (Frida-based)

Another Frida wrapper with CLI REPL, focused on rapid ad-hoc exploration. Lighter weight and more command-line oriented than Grapefruit's web UI; less structured for organized assessments.

Software development agency

Build on grapefruit with DEV.co software developers

Grapefruit is a powerful, free toolkit for authorized runtime analysis of iOS and Android apps. Contact us to discuss integration with your security testing pipeline, reverse proxy deployment, or custom Frida bypass strategies for protected apps.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

grapefruit FAQ

Do I need root/jailbreak on the device?
Yes. Frida server (which Grapefruit requires) needs elevated privileges to attach to and instrument app processes. You must have a jailbroken iOS device or rooted Android device.
Can I use Grapefruit to test production apps I don't own?
No. Grapefruit is for authorized security testing only. Using it against third-party apps without permission violates app licenses and may break laws. Always get explicit written consent from the app owner.
What if the app uses Frida detection or certificate pinning?
Grapefruit does not include built-in bypasses. You must use external Frida scripts or dedicated tools (e.g., Frida Syscall Tracer) to bypass RASP protections before or alongside Grapefruit, adding complexity.
Can I expose Grapefruit to my network or the internet?
Not directly. Grapefruit has no authentication. You must place it behind an authenticated reverse proxy (e.g., Caddy with TLS and access control) if remote access is needed. Do not expose it directly to untrusted networks.

Software developers & web developers for hire

DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If grapefruit is part of your open-source security roadmap, our team can implement, customize, migrate, and maintain it.

Evaluate Grapefruit for Your Mobile Security Assessment?

Grapefruit is a powerful, free toolkit for authorized runtime analysis of iOS and Android apps. Contact us to discuss integration with your security testing pipeline, reverse proxy deployment, or custom Frida bypass strategies for protected apps.