Grapefruit
StarDiscord

Open-source mobile security testing suite

Instrumentation, data inspection, and decompilation — all in your browser.

Get StartedDocumentation
Grapefruit Android workspaceGrapefruit iOS workspace

URL Schemes

Enumerate all registered URL schemes and deep links. Compose and send custom URLs directly to the app on device to test input validation, authentication bypasses, and inter-app communication attack surfaces.

URL SchemesData InspectionWebView InspectorRuntime ExplorationLive DisassemblyInstrumentation

Interactive Decompiler

Drop a file and start reversing. No device, no setup — powered by radare2 and WebAssembly, runs entirely in your browser.

Hermes Bytecode

Standalone bytecode viewer for React Native apps. Functions, strings, disassembly, and AI decompilation — no device needed.

Hermes bytecode viewer

Executable Binaries

Split view with control flow graph, disassembly, and decompiler. Supports native ELF/Mach-O, DEX, and any format radare2 understands.

Radare2 split view with CFG

Making mobile auditing easier

Web-Based UI

Stop switching between terminal tabs. Grapefruit gives you class browsers, thread inspectors, file previews, and network monitors in one place.

Cross-Platform

Runs on macOS, Windows, and Linux. Access your research workspace from any modern browser

Agent Skills

Extend your AI coding agent with security audit skills.

Dark or light

Comfortable for the long sessions.

Grapefruit dark themeGrapefruit light theme

Ready to start?

Grapefruit is free and open source. Install and start your research today.