A cutting-edge Frida-based tool for bypassing certificate pinning and intercepting network traffic from mobile applications that resist traditional proxy methods.
Traditional proxy tools like Burp Suite fail when dealing with:
- π± Mobile Device Management (MDM) applications
- π Certificate pinning implementations
- π‘οΈ Custom security protocols
- π TLS/SSL bypass restrictions
- π Devices using VPN connections
KnoxSpy solves this by hooking directly into popular network libraries at runtime, even when the API traffic is routed through a VPN.
- Runtime Hooking: Bypass certificate pinning and security restrictions
- Multi-Platform: Android (OkHttp3, Flutter) and iOS (Alamofire/AFNetworking) support
- Real-Time Analysis: Live traffic capture and analysis
- Multi-User Support: Android work profiles and secondary user support
- Traffic Replay: Replay captured requests for testing
- Request Repeater: Modify and replay captured requests with multi-tab support
- Session Management: Multiple concurrent testing sessions
- Vue.js Frontend: Responsive, intuitive web interface
- WebSocket Integration: Real-time updates and communication
- Keyboard Shortcuts: Quick actions (Cmd+L sidebar, Cmd+F search, Cmd+D replay)
- Flutter HTTP: Intercept traffic from Flutter apps using the http package
- Flutter DIO: Support for Flutter apps using the Dio HTTP client
- Cross-Platform: Works with Flutter apps on Android devices
Create and manage multiple testing sessions with different devices and applications
Browse and select applications on connected Android and iOS devices
Automatically detect and attach to network libraries (OkHttp3 shown)
Capture, analyze, and modify network traffic in real-time
- Frida Server 16.2.1 installed on target device
- Node.js 18+ for development
- Android/iOS device with USB debugging enabled
Note: Android device has to be rooted
# Clone the repository
git clone https://github.com/appknox/knoxspy.git
cd knoxspy
# Install dependencies
cd app/gui && npm install
cd ../server && npm install
cd ../..
# Start the application
./knoxspy- Connect Device: Ensure Frida server is running on your target device
- Launch KnoxSpy: Run
./knoxspyto start both frontend and backend - Access Interface: Open http://localhost:5173 in your browser
- Create Session: Set up a new testing session
- Select App: Choose the target application from the device
- Select Library: Choose the library being used by the application
- Capture Traffic: Switch to the Proxy tab and start intercepting
- Frontend: Vue.js 3 + TypeScript + PrimeVue
- Backend: Node.js + Express + WebSocket
- Database: SQLite for session and library management
- Instrumentation: Frida + Custom JavaScript/TypeScript agents
| Platform | Library | Coverage |
|---|---|---|
| Android | OkHttp3 | β Full Support |
| Android | Flutter HTTP | β Full Support |
| Android | Flutter DIO | β Full Support |
| iOS | Alamofire | β Full Support |
| iOS | AFNetworking | β Full Support |
| Custom | User Scripts | β Extensible |
Upload your own Frida agents as ZIP files:
- Must contain
package.json - TypeScript source automatically compiled
- Stored in
libraries/directory - Database tracking for metadata
- Pre-configured libraries loaded from
config.yamlat startup
- MDM Security: Exposing hidden vulnerabilities in enterprise applications
- Mobile Pentesting: New methodologies for bypassing modern security measures
- Network Analysis: Advanced techniques for traffic interception
- Real-time MDM app analysis
- Certificate pinning bypass demonstrations
- Custom agent deployment
- Enterprise application security testing
KnoxSpy returns to the stage at Black Hat Europe 2025 with powerful new features:
- Flutter Application Support: Full interception capabilities for Flutter apps using HTTP and DIO libraries
- Request Repeater: Capture, modify, and replay network requests with an intuitive multi-tab interface
- Android Multi-User Support: Seamlessly analyze apps across work profiles and secondary users
- Enhanced UI: Modern Vue.js 3 interface with keyboard shortcuts for power users
- Cross-Framework Analysis: Breaking the barriers of Flutter's custom networking stack
- Enterprise MDM Evolution: Updated techniques for modern MDM security testing
- Real-Time Traffic Manipulation: Live request modification and replay demonstrations
- Authorized Testing Only: Use only on applications you own or have permission to test
- Research Purpose: Designed for defensive security research and penetration testing
- Compliance: Ensure compliance with local laws and regulations
- Session Isolation: Each testing session is properly isolated
- Secure Communication: WebSocket connections with proper validation
- File Validation: Uploaded agents undergo security checks
# Frontend development
cd app/gui
npm run dev
# Backend development
cd app/server
npm run dev
# Production build
cd app/gui
npm run build# Run frontend tests (when available)
cd app/gui
npm run test
# Run backend tests (when available)
cd app/server
npm run testWe welcome contributions from the security research community! Feel free to:
- Report bugs and issues
- Submit feature requests
- Contribute code improvements
- Share your custom Frida agents
- Improve documentation
- Security researchers and penetration testers
- Mobile application developers
- Network security professionals
This project is licensed under the Apache License 2.0 - see the LICENSE file for details.
KnoxSpy is developed by Appknox, a leading mobile security company dedicated to making mobile applications more secure through innovative security testing tools and platforms.
Star β this repository if you find it useful!
π Get Started β’ πΈ View Screenshots β’ π¬ Technical Details β’ π‘οΈ Security
Made with β€οΈ for the security research community