A DPI (Deep Packet Inspection) bypass tool for iOS and macOS. Inspired by SpoofDPI.
Spoofy is a local HTTP/SOCKS5 proxy that bypasses Deep Packet Inspection by fragmenting TLS ClientHello packets or routing selected domains through an Outline server.
⚠️ This project is fully vibe-coded.
- HTTP and SOCKS5 proxy — connect via Wi-Fi proxy settings, or directly from any app that supports proxies
- TCP and TLS fragmentation to bypass DPI
- DNS-over-HTTPS to bypass DNS-based blocking
- Outline (Shadowsocks) routing for selected domains
- Per-domain profiles with independent bypass strategies
- LAN access — share the proxy with other devices on your network
- Export settings
- No system-wide VPN — Spoofy is a local proxy, not a VPN. On iOS you can use it via Wi-Fi proxy settings or from an app that supports HTTP/SOCKS5 proxies (like Telegram). Cellular traffic is not covered. See App Store & VPN Mode for why.
- No official App Store release — you must sideload the app yourself or use the AltStore source. See App Store & VPN Mode for details.
- Vibe-coded — most of the code has never been reviewed by a human. Testing has been limited to running on a physical device and WireShark packet inspection. Use at your own risk.
Spoofy uses a profile system to apply different bypass strategies to different domains.
The Master (default) profile applies to all traffic that doesn't match any other profile.
You can create additional profiles for specific domains that need different settings.
Support wildcards:
| Pattern | Matches |
|---|---|
*.example.com |
www.example.com, api.example.com, etc. |
example.* |
example.com, example.org, etc. |
*.youtube.* |
www.youtube.com, m.youtube.co.uk, etc. |
Each profile has a Route Mode that determines how matched traffic is handled:
| Mode | Description |
|---|---|
| Split | DPI bypass — fragments TLS ClientHello using the configured split strategy (default) |
| VPN | Routes traffic through a VPN. For now only Outline (Shadowsocks) server is supported |
The core setting that determines how the TLS ClientHello packet is fragmented. Available modes:
| Mode | Description | When to Use |
|---|---|---|
| SNI | Splits each character of the hostname into a separate TCP packet | Most effective against SNI-based DPI. Try this first. |
| Chunk | Splits the ClientHello into fixed-size chunks | Use when SNI mode doesn't work. Adjust chunk size (1–1000 bytes). |
| Random | Applies random pattern-based splitting | Alternative when other modes are detected. |
| FirstByte | Sends the first byte separately, then the rest | Lightweight option, may work against simple DPI. |
| None | No fragmentation, plain relay | Use for domains that don't need bypassing. |
Recommendation: Start with SNI mode. If it doesn't work, try Chunk with a small chunk size (e.g., 1–5 bytes).
An additional layer of obfuscation. When enabled, the TLS handshake message is wrapped across multiple TLS records before the split mode is applied. This can help bypass DPI that reassembles TLS records before inspecting them.
Recommendation: Enable this if your chosen split mode alone doesn't work.
When VPN type is set to Outline, traffic matching that profile's domains is routed through an Outline-compatible Shadowsocks server.
To configure Outline routing paste your Outline server's ss:// access key into the Server Configuration field
Recommendation: Use Outline mode when you have access to an Outline server for domains where DPI bypass is not enough.
When enabled, DNS queries are sent over HTTPS instead of plain DNS, preventing your ISP or network from seeing which domains you're resolving.
- DoH Server URL — the DoH endpoint to use (default:
https://1.1.1.1/dns-query)
Recommendation: Enable this if your ISP blocks domains at the DNS level.
The port on which the local proxy server listens. Default is 8090.
When enabled, the proxy server binds to 0.0.0.0 instead of 127.0.0.1, allowing other devices on the same local network to connect to the proxy. Disabled by default.
This is useful when you want to route traffic from another device (e.g., a computer or tablet) through Spoofy running on your iPhone. On the other device, set the HTTP proxy to your iPhone's local IP address and the configured port.
You need to manually configure your iPhone's Wi-Fi proxy settings to route traffic through Spoofy.
- Start Spoofy — open the app and tap the start button to begin the proxy server
- Open Settings on your iPhone
- Tap Wi-Fi
- Tap the ⓘ icon next to your connected Wi-Fi network
- Scroll down to HTTP Proxy and tap Configure Proxy
- Select Manual
- Enter the following:
- Server:
127.0.0.1 - Port:
8090(or whatever port you configured in Spoofy) - Authentication: leave off
- Server:
- Tap Save
- Go to Settings → Wi-Fi → ⓘ (your network) → HTTP Proxy
- Change back to Off
AltStore source: https://raw.githubusercontent.com/ringolol/Spoofy/main/altstore/altsource.json
Spoofy is not available on the App Store and does not support VPN mode. Both require an Apple Developer Program membership ($99/year), which the developer does not have. Because of this:
- No App Store distribution — you need to build the app yourself with Xcode and sideload it onto your device (e.g., using a free Apple ID or AltStore) or use the AltStore source provided. Though the license permits anyone with a Developer account to publish Spoofy on the App Store.
- No VPN mode — iOS Network Extensions (which enable system-wide VPN-based proxying) require entitlements that are only available through the paid Developer Program. Instead, Spoofy works as a local proxy that you connect to via Wi-Fi proxy settings.
- Go to the Releases page
- Download
Spoofy-macOS.zipfrom the latest release - Extract the zip and move
Spoofy.appto your Applications folder - On first launch, macOS will block the app because it is not signed. Try openning the app and then go to System Settings → Privacy & Security, scroll down, and click Open Anyway
make install-macos
This builds the Mac Catalyst version, signs it with your development team, and copies it to /Applications.
- Start Spoofy and tap the start button
- Open System Settings → Network → Wi-Fi (or your active connection)
- Click Details… → Proxies
- Enable Web Proxy (HTTP) and Secure Web Proxy (HTTPS)
- Set both to
127.0.0.1port8090(or your configured port) - Click OK, then Apply
make release VERSION=1.2 DESCRIPTION="Bug fixes and improvements"
Bumps the Xcode project version, archives the app, updates altsource.json, and creates a GitHub Release.