ImKKingshuk
LockKnife
Python

LockKnife: The Ultimate Android Security Research Tool. A unified TUI workspace and headless CLI for deep Android security research, built for researchers and hackers. Powered by Python orchestration and a Rust-accelerated core, enabling AI agent–driven hacking, credential recovery/cracking, APK analysis, intelligence gathering, runtime inspection.

Last updated Jul 8, 2026
507
Stars
108
Forks
2
Issues
+1
Stars/day
Attention Score
89
Language breakdown
No language data available.
β–Έ Files click to expand
README

LockKnife Icon

LockKnife

The Ultimate Android Security Research Tool

Unified Android Security Research Platform

βš› Python First βš› Rust Accelerated βš›

Forensics, Analysis, Recovery, Runtime, and Intelligence in One Framework

LockKnife is a unified Android security research and forensic investigation toolkit built with Python orchestration and Rust-accelerated core. It provides a case-driven TUI workspace alongside a powerful headless CLI, enabling investigators and researchers to perform extraction, credential recovery, artifact analysis, runtime instrumentation, and reporting from a single modular framework. The platform integrates advanced capabilities including AI-assisted analysis, cryptocurrency wallet forensics, threat intelligence enrichment, APK inspection, runtime instrumentation, and multi-device investigation workflows. LockKnife supports modern Android ecosystems, including passkey artifacts (Android 14+), Private Space analysis (Android 15+), and evolving device security models. With a growing ecosystem of specialized modules covering device forensics, credential recovery, APK analysis, runtime inspection, network analysis, and security auditing, LockKnife enables security researchers to orchestrate complex Android investigations and generate professional forensic reports within one unified research environment.

Connect your device and begin advanced Android security research.


[Platform]() [Version]() [License]()

Website


New Era: Python + Rust Rewrite (v1.x)

  • Python orchestrates CLI, device I/O, modules, reporting, and integrations.
  • Rust powers performance-critical primitives (hashing/crypto, bruteforce, bulk parsing).
  • The legacy Bash-only edition ended at v0.4.x (see [CHANGELOG.md]).

Installation

Curl (macOS, Linux, Windows)

curl -fsSL https://lockknife.vercel.app/install | bash

Homebrew (macOS)

brew install ImKKingshuk/tap/lockknife

Quick Start

TUI (Default)

lockknife

CLI (Headless)

lockknife --cli

OR

lockknife --headless

Old Classic Interactive Mode

lockknife interactive

Product Priority

  • TUI is the main product and default experience. Use lockknife for day-to-day investigations, case-driven workflows, result review, and operator-guided execution.
  • Headless CLI is the secondary surface. Use lockknife --cli ... or lockknife --headless for quick one-off tasks, scripting, CI, and remote/headless environments.
  • Classic interactive mode is legacy convenience. Use lockknife interactive only when you specifically want the older menu flow.

TUI

Keybindings

| Action | Keys | |--------|------| | Quit | q | | Navigate panels | Tab | | Move selection | Arrow keys | | Open action menu | Enter | | Search modules/output | / | | Help | ? | | Theme cycle | t | | Config editor | c | | Export last result | e | | Result viewer | v | | Page scroll modules | PageUp / PageDown | | Adjust panel height | Ctrl + Up / Ctrl + Down | | Copy result in viewer | y |

TUI vs CLI

| Mode | Best for | Command | |------|----------|---------| | TUI (primary) | Interactive investigation, multi-step workflows, live output, case-first operations | lockknife | | CLI / headless (secondary) | Quick tasks, automation, scripting, CI, headless servers | lockknife --cli or lockknife --headless |

TUI positioning vs ALEAPP, MobSF, drozer, objection, and Frida CLI

LockKnife is designed as a case-first operator workspace that spans extraction, runtime, APK review, reporting, and enrichment. The tools below are still valuable, but they solve narrower slices of the Android investigation workflow.

| Tool | Primary strength | Main surface | Best at | Gaps relative to LockKnife | |------|------------------|--------------|---------|--------------------------------| | LockKnife | Unified case-driven Android investigations | Terminal TUI + CLI | Coordinating extraction, forensics, runtime, APK review, reporting, and enrichment from one workspace | N/A | | ALEAPP | Artifact parsing and report generation from device dumps/backups | CLI/report pipeline | Normalizing mobile artifacts into investigator-friendly reports | No integrated runtime instrumentation, APK review, live case workspace, or operator TUI | | MobSF | Mobile app static/dynamic analysis | Web UI | APK/IPA-focused security review and sandbox analysis | Not a case-first device forensics workspace; weaker on extraction/runtime/operator orchestration | | drozer | Android attack-surface assessment | CLI shell | IPC exposure, exported components, and app security probing | Not a reporting/forensics/timeline platform; no integrated case workflow | | objection | Frida-assisted runtime exploration | Interactive CLI | Runtime hooks, method browsing, and rapid app introspection | Not a full evidence, reporting, or case-management surface | | Frida CLI | Low-level instrumentation primitives | CLI | Raw attach/spawn/script workflows and custom tracing | No case model, extraction/reporting pipeline, or investigator-friendly orchestration layer |

Capability comparison: LockKnife vs specialist Android tools

| Capability | LockKnife | ALEAPP | MobSF | drozer | objection | Frida | |------------|:---------:|:------:|:-----:|:------:|:---------:|:---------:| | Case workspace, artifact lineage, integrity | βœ… Native | ⚠️ Report-centric | ❌ | ❌ | ❌ | ❌ | | Device artifact extraction / acquisition helpers | βœ… | βœ… | ❌ | ❌ | ❌ | ❌ | | Timeline + cross-artifact investigation workflow | βœ… | ⚠️ Artifact-focused | ❌ | ❌ | ❌ | ❌ | | APK static review | βœ… | ❌ | βœ… | ⚠️ Limited | ❌ | ❌ | | Runtime instrumentation | βœ… | ❌ | ⚠️ Sandbox-centric | βœ… | βœ… | βœ… | | Chain-of-custody / executive + technical reporting | βœ… | βœ… | βœ… | ❌ | ❌ | ❌ | | Guided operator workspace (TUI-first) | βœ… Primary | ❌ | ❌ Web UI instead | ❌ | ❌ | ❌ | | Headless automation / scripting | βœ… | βœ… | ⚠️ Server workflow | βœ… | βœ… | βœ… |

Use LockKnife when you want one operator surface for the broader investigation lifecycle, and pair it with ALEAPP/MobSF/drozer/objection when you need their specialist depth.

Features Status Legend

| Icon | Status | Meaning | |------|--------|---------| | βœ… | production-ready | Stable core workflow with strong local/offline behavior | | πŸ”§ | functional | Useful and working, with practical constraints | | πŸ”¬ | best-effort | Works in some environments, but highly device/app/version dependent | | 🚧 | experimental | Early workflow with notable limitations | | πŸ”‘ | dependency-gated | Requires optional extras, external tools, or credentials |


Current Capabilities (v1.1.0)

Core Platform

  • βœ… Python CLI with subcommands: device, crack, extract, forensics, apk, report, security, intel, ai, network, crypto-wallet, exploit
  • πŸ”§ Full-screen TUI by default (lockknife) as the primary product surface; headless CLI via --cli / --headless for quick/headless tasks
  • βœ… Classic menu UI via lockknife interactive
  • βœ… Config loading via lockknife.toml (with legacy lockknife.conf mapping)
  • βœ… Structured logging (console/JSON) and consistent output formatting
  • βœ… Shell completion via lockknife completion <shell>
  • βœ… Structured error hierarchy with unique error codes (LK-0001 through LK-7001) for precise troubleshooting
  • βœ… Rate limiter module for API call throttling
  • βœ… Code quality enforcement with ruff, ty (Python) and clippy, rustfmt (Rust)
  • βœ… Fuzz testing for critical Rust parsers (correlate, parsedexheader, sqlite_table)
  • βœ… TUI exploit management panel with evidence analysis, scan results, and navigation controls
  • βœ… Graceful TUI shutdown with signal handling and terminal state restoration
  • βœ… Reorganized TUI callback modules for better maintainability and performance

Rust Core (Native)

  • βœ… Hashing/HMAC + AES-GCM helpers
  • βœ… High-speed PIN bruteforce and dictionary attacks
  • βœ… Binary helpers (DEX/ELF headers), pattern scanning, IPv4 parsing
  • βœ… SQLite bulk table extraction to JSON and artifact correlation primitives
  • βœ… MD5-based YARA rule caching with Arc shared ownership and FIFO eviction policy
  • βœ… Rust exploitation primitives: packet crafting/parsing for WiFi/Bluetooth, WPS utilities, parallel network port scanner, WPA handshake cracking with Rayon

Device & Orchestration

  • πŸ”§ ADB management: list/connect/info/shell (lockknife device ...)
  • πŸ”§ Multi-device parallel execution for supported operations
  • πŸ”§ Feature coverage depends on device access level (userdebug/root), OEM paths, and Android version

Features

Credentials & Recovery

  • βœ… Offline PIN bruteforce (lockknife crack pin) (Rust)
  • βœ… Offline dictionary attack (lockknife crack password) (Rust)
  • βœ… Rule-based password mutations (lockknife crack password-rules)
  • πŸ”¬ Device-side PIN recovery pipeline (lockknife crack pin-device) (device-dependent)
  • πŸ”¬ Gesture recovery (lockknife crack gesture) (device-dependent)
  • πŸ”¬ WiFi password extraction (lockknife crack wifi) (often requires root)
  • πŸ”¬ Keystore listing (lockknife crack keystore) (often requires root)
  • πŸ”¬ Passkey artifact export (lockknife crack passkeys) (Android 14+, device-dependent)

Extraction

  • πŸ”§ SMS / Contacts / Call logs (lockknife extract sms|contacts|call-logs)
  • πŸ”§ Browser artifacts (Chrome/Firefox history/bookmarks/downloads/cookies/saved logins)
  • πŸ”¬ Messaging artifacts (WhatsApp/Telegram), with device constraints
  • πŸ”¬ Signal message extraction (limited by SQLCipher encryption and key availability)
  • πŸ”§ Media extraction with EXIF
  • πŸ”§ Location artifacts and dumpsys snapshot parsing
  • πŸ”¬ lockknife extract all evidence directory (best-effort; produces errors manifest when datasets fail)

Forensics

  • πŸ”¬ Device snapshotting (lockknife forensics snapshot) (full coverage may require root)
  • βœ… SQLite inspection + bulk extraction (lockknife forensics sqlite) (Rust-accelerated)
  • βœ… Timeline building (lockknife forensics timeline)
  • πŸ”§ ALEAPP-style artifact normalization/export (lockknife forensics parse)
  • βœ… Cross-artifact correlation (lockknife forensics correlate) (Rust-assisted)
  • πŸ”¬ Deleted record recovery heuristics (lockknife forensics recover) (best-effort)

Reporting

  • πŸ”§ HTML/JSON/CSV reporting (lockknife report generate)
  • πŸ”‘ PDF reporting (lockknife report generate --format pdf) (requires weasyprint or xhtml2pdf)
  • πŸ”§ Chain of custody (lockknife report chain-of-custody)
  • πŸ”§ Case integrity verification (lockknife report integrity)

APK Analysis

  • πŸ”‘ Manifest parsing and metadata extraction (requires lockknife[apk])
  • πŸ”‘ Permission risk scoring and heuristic vulnerability checks
  • βœ… DEX header extraction from APK (Rust)
  • πŸ”¬ "Decompile" (APK unpack + manifest.json; not full source decompilation)
  • πŸ”§ YARA / pattern scanning (lockknife apk scan)

Runtime Instrumentation

  • πŸ”‘ Frida session management and script loading (requires lockknife[frida] + Frida server)
  • πŸ”¬ Bypass and tracing workflows (device/app dependent)
  • πŸ”¬ Memory/heap utilities (device/app dependent)

Network

  • πŸ”¬ Device capture (lockknife network capture) (root + tcpdump)
  • πŸ”‘ PCAP analysis and API endpoint discovery (requires lockknife[network])
  • βœ… Rust helpers for parsing primitives (IPv4)

Security

  • πŸ”§ Device posture audit and checks (lockknife security scan)
  • πŸ”§ SELinux and bootloader/hardware checks (device dependent)
  • πŸ”§ Malware scanning (Rust pattern engine)
  • πŸ”§ OWASP MASTG mapping helpers (lockknife security owasp)

Exploitation Framework

  • πŸ”‘ Wireless Device Exploitation (lockknife exploit ...) (requires lockknife[exploitation])
- ADB over TCP: Network scanning, connection, shell access, logical/physical data extraction - Bluetooth: Classic + BLE discovery, fingerprinting, GATT client, pairing manager, RFCOMM service discovery, BlueBorne/KNOB/Blurtooth PoCs - WiFi: Network scanning, WPS attacks, WPA handshake capture and cracking (Rayon-accelerated), rogue AP deployment using hostapd/dnsmasq, P2P exploitation, MITM attacks - Zero-Click: CVE intelligence management, payload generation, exploit chain automation, vulnerability fingerprinting - USB Debugging: Lock screen bypass, ADB backup creation/extraction/analysis, content provider access, intent injection - Hotspot Exploitation: Android tethering detection using iwlist, gateway exploitation, MITM traffic interception
  • πŸ”‘ Authorization Framework: Exploit authorization controls, lab mode, case tracking, audit trails
  • πŸ”‘ Auto-Exploitation: Automatic vector selection, multi-vector orchestration, exploit chain automation

Integrations (Optional Extras)

  • πŸ”‘ Threat intelligence (lockknife intel ...) (requires lockknife[threat-intel] + API keys)
  • πŸ”‘ AI/ML workflows (lockknife ai ...) (requires lockknife[ml])
  • πŸ”§ Crypto wallet forensics (lockknife crypto-wallet ...) (data/network dependent)

Requirements

  • OS: macOS, Linux, Windows (WSL)
  • Python: 3.11+
  • ADB: Android platform-tools (adb)
  • Rust: required to build the native extension from source
  • Device constraints: some features require root/userdebug builds or app-specific DB access

Configuration

LockKnife looks for configuration files in the following locations (in order):

  • ./lockknife.toml
  • $HOME/.config/lockknife/lockknife.toml
  • $HOME/.lockknife.toml
  • /etc/lockknife.toml
Legacy lockknife.conf is also supported and auto-mapped for a small set of keys.

Example lockknife.toml:

[lockknife]
log_level = "INFO"
log_format = "console"
adb_path = "adb"

Disclaimer

LockKnife : The Ultimate Android Security Research Tool is developed for research and educational purposes. It should be used responsibly and in compliance with all applicable laws and regulations. The developer of this tool is not responsible for any misuse or illegal activities conducted with this tool.

Password recovery tools should only be used for legitimate purposes and with proper authorization. Using such tools without proper authorization is illegal and a violation of privacy. Ensure proper authorization before using LockKnife for password recovery or data extraction. Always adhere to ethical hacking practices and comply with all applicable laws and regulations.

License

This project is licensed under the GPL-3.0-only License.

Happy Android Security Research with LockKnife! πŸ”’πŸ’«

πŸ”— More in this category

Β© 2026 GitRepoTrend Β· ImKKingshuk/LockKnife Β· Updated daily from GitHub