KnoxSpy breaks MDM/pinning
A pentesting tool, KnoxSpy, has demonstrated bypasses for MDM and certificate pinning on iOS apps — meaning device management and TLS pinning defenses can be weakened in the field. This is especially relevant for enterprise apps and any build relying solely on MDM protections. (x.com)
Appknox maintains KnoxSpy as an open-source repository on GitHub under an Apache‑2.0 license, with separate GUI and server folders and 50 commits listed in the project history. (github.com) The README names Frida Server 16.2.1 as a prerequisite and notes Android targets require root access, while the tool’s injection model is Frida-based for live runtime hooks. (github.com) Repository docs show explicit support for iOS networking stacks Alamofire and AFNetworking, Android OkHttp3, plus Flutter HTTP and Dio clients for cross-platform interception. (github.com) Built features include real-time traffic capture, a request repeater and traffic replay engine, multi-session management, and a Vue.js frontend with WebSocket integration for live updates. (github.com) AppSec Village’s DC 2025 agenda listed a session titled “Inside KnoxSpy,” citing multiple real-world assessments where the tool provided deeper visibility into MDM‑protected applications. (appsecvillage.com) Security blogs and tool roundups have characterized KnoxSpy as “breaking the proxy barrier” for applications that resist conventional proxying, calling out Frida-based runtime hooking as the interception vector. (meterpreter.org) Appknox’s 2025 blog on SSL pinning bypass techniques catalogs eight approaches for bypassing pinning in iOS apps and positions tooling like KnoxSpy within that tester-oriented toolkit. (appknox.com)
