grapefruit
Grapefruit is an open-source mobile security testing toolkit for iOS and Android that uses Frida to inspect, hook, and modify running apps through a web interface. It enables security researchers and testers to intercept function calls, monitor APIs, browse files and databases, and analyze app behavior at runtime.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | ChiChou/grapefruit |
| Owner | ChiChou |
| Primary language | TypeScript |
| License | MIT — OSI-approved |
| Stars | 1.3k |
| Forks | 107 |
| Open issues | 12 |
| Latest release | v1.1.2 (2026-03-30) |
| Last updated | 2026-06-17 |
| Source | https://github.com/ChiChou/grapefruit |
What grapefruit is
Built in TypeScript with a Node.js/Bun runtime, Grapefruit wraps the Frida instrumentation framework to provide structured method hooking, cryptographic API interception, memory scanning, and platform-specific features (Keychain/SQLite on iOS, JNI/Manifest on Android). It exposes functionality via a web UI and RPC interface, requiring Frida server already deployed on the target device.
Get the grapefruit source
Clone the repository and explore it locally.
git clone https://github.com/ChiChou/grapefruit.gitcd grapefruit# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Frida server must be pre-installed and running on the target iOS or Android device before Grapefruit can attach; setup is a separate, non-trivial step per the official Frida docs.
- Requires Node.js 22.18+ (or Bun for development builds). Prebuilt binaries are available for macOS, Linux, and Windows but are Bun-based; npm package is Node.js-based.
- Supports both Frida 16 and 17 via CLI flag; default is Frida 17. Verify your Frida server version matches the Grapefruit configuration to avoid compatibility issues.
- Web UI binds to 127.0.0.1:31337 by default. For remote or multi-user access, mandatory to place behind authenticated reverse proxy (e.g., Caddy); direct network exposure is insecure.
- Optional LLM integration (Anthropic, OpenAI, Gemini, OpenRouter) available for hook script generation; requires API key if enabled. Does not require it for core functionality.
When to avoid it — and what to weigh
- No Built-in RASP Bypass Capabilities — If the target app uses modern runtime protection (Frida detection, certificate pinning, jailbreak detection), Grapefruit does not include bypasses. You must use external tools or custom Frida scripts first, adding complexity to assessments.
- Unauthenticated Local Access Only — Grapefruit binds to 127.0.0.1 by default with no authentication. Avoid deploying it on shared machines or networks without reverse proxy protection; any local process can access all functionality.
- Production or Non-Authorized Use — This is an instrumentation tool designed for authorized testing only. Using it against apps or devices without explicit permission violates terms of service and may break laws. Not suitable for unauthorized mobile surveillance or app tampering.
- Windows/Linux Native Development Debugging — Grapefruit is mobile-specific. If you need to debug desktop or backend applications, or if you require integrated IDE debugging (not web-based inspection), other tools are more appropriate.
License & commercial use
Licensed under MIT (MIT License). This is a permissive OSI-approved license allowing modification, distribution, and private use with minimal restrictions (attribution and license notice required).
MIT license permits commercial use of Grapefruit itself. However, using it to test third-party apps or devices without authorization may violate app terms of service, device vendor policies, or local laws. Ensure you have explicit permission from app owners and device holders before conducting security assessments. No warranty or support is provided; production use requires your own security review and incident response plan.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Good |
| Assessment confidence | High |
Grapefruit itself does not validate the security posture of the apps it inspects. No built-in authentication for the web UI; relies on localhost binding and reverse proxy (if remote). Frida attachment requires elevated privileges on the device (jailbreak/root). No exploit details are provided in documentation; it is a testing framework, not a vulnerability scanner. Use only in controlled environments with proper access controls and incident response procedures. Ensure informed consent from device owners.
Alternatives to consider
Frida + Custom Scripts
Grapefruit is built on Frida; if you prefer CLI-only or custom instrumentation, use Frida directly. More flexible but requires manual script writing and less polished UI.
Burp Suite Mobile Assistant / Charles Proxy
Focused on network traffic capture and MITM testing rather than runtime hooking and memory inspection. Better for API and web service testing; weaker for native code analysis.
Objection (Frida-based)
Another Frida wrapper with CLI REPL, focused on rapid ad-hoc exploration. Lighter weight and more command-line oriented than Grapefruit's web UI; less structured for organized assessments.
Build on grapefruit with DEV.co software developers
Grapefruit is a powerful, free toolkit for authorized runtime analysis of iOS and Android apps. Contact us to discuss integration with your security testing pipeline, reverse proxy deployment, or custom Frida bypass strategies for protected apps.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
grapefruit FAQ
Do I need root/jailbreak on the device?
Can I use Grapefruit to test production apps I don't own?
What if the app uses Frida detection or certificate pinning?
Can I expose Grapefruit to my network or the internet?
Software developers & web developers for hire
DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If grapefruit is part of your open-source security roadmap, our team can implement, customize, migrate, and maintain it.
Evaluate Grapefruit for Your Mobile Security Assessment?
Grapefruit is a powerful, free toolkit for authorized runtime analysis of iOS and Android apps. Contact us to discuss integration with your security testing pipeline, reverse proxy deployment, or custom Frida bypass strategies for protected apps.