LockKnife : The Ultimate Android Security Research Tool - Your Complete Android Security Research Arsenal! ποΈπ¬π Dive deep into Android security with this next-generation enterprise-grade command-line tool featuring AI-powered analysis, cryptocurrency wallet forensics, threat intelligence integration, Android 16 support, and 20+ specialized modules. Recover lock screen credentials, perform AI-driven behavior analysis, analyze crypto wallets, detect threats with real-time intelligence, extract Private Space data (Android 15+), analyze passkeys (Android 14+), orchestrate multi-device investigations, generate professional forensic reports, and conduct cutting-edge security research. Connect your device and unleash the full power of advanced Android security research! ππ«π
| Tag | Meaning |
|---|---|
| β | Fully Working - Feature is complete and operational |
| π§ | Functional - Core functionality works, with some limitations |
| π¬ | Partial - Basic implementation, results may be incomplete |
| π§ | Coming Soon - Placeholder/under development |
- Gesture Pattern Recovery β : Recover lock screen gesture patterns with hash mapping and visualization
- Dictionary Attack β : Use custom wordlists to recover alphanumeric passwords with parallel processing support
- Brute Force Attack β : PIN cracking for 4, 6, or 8-digit PINs with progress tracking
- Wi-Fi Password Extraction β : Recover saved WiFi passwords from WifiConfigStore.xml
- Locksettings Database Analysis β : Extract and analyze locksettings.db for newer Android versions
- Gatekeeper HAL Analysis β : Modern credential storage analysis and response monitoring
- Android 5 and Older β
- Android 6 to 9 β
- Android 10 to 13 β
- Android 14 (Credential Manager detection) π§
- Android 15 (Private Space detection) π§
- Android 16+ (Full compatibility mode) π§
- SMS Messages Extraction β : Pull and analyze mmssms.db with statistics
- Call Logs Extraction β : Full call history with type classification
- Wi-Fi Passwords β : Complete WiFi credential extraction
- WhatsApp Data β : Extract msgstore.db, contacts, and media files
- Telegram Data β : Database and configuration extraction
- Signal Data π§: Extraction support (limited by SQLCipher encryption)
- Browser Data β : Chrome, Firefox, Brave, Edge history, cookies, and credentials
- Bluetooth Pairing Keys β : Extract Bluetooth configuration and paired devices
- Device Snapshot Creation β : Capture file system for offline analysis
- Live Analysis β : Real-time device state analysis
- Custom Data Extraction β : Pull specific files or directories
- SQLite Database Analysis β : Extract and analyze any database
- Search Functionality β : Find sensitive information in snapshots
- App-Specific Extraction β : Specialized tools for popular messaging apps
- Process Monitoring π§: Real-time process listing and analysis
- Memory Mapping π§: Process memory inspection
- Frida Integration π¬: Runtime instrumentation (requires Frida server on device)
- Anti-Debugging Detection π¬: Identify debugging attempts
- Certificate Pinning Detection π§: Identify SSL pinning implementations
- Frida SSL Bypass π¬: Runtime SSL bypass scripts (requires Frida)
- Network Interception Setup π§: MITM proxy configuration
- Burp Suite Integration π§: Proxy setup guidance
- Static Analysis β : Manifest parsing, permission analysis, resource inspection
- Code Analysis π§: DEX/SMALI inspection (requires external tools)
- Vulnerability Scanning π§: Automated security checks
- Malware Indicators π§: Suspicious pattern detection
- Signature Verification β : APK signature validation
- Traffic Capture β : Record network traffic with tcpdump (requires root)
- Protocol Analysis β : Analyze with tshark integration
- HTTP/DNS Analysis β : Request and query extraction
- Unencrypted Traffic Detection β : Identify insecure communications
- Memory Dumping π¬: Process memory extraction (requires root)
- Memory Leak Detection π¬: Basic allocation analysis
- Heap/Stack Analysis π¬: Memory inspection capabilities
- Kernel Module Analysis π§: Inspect loaded modules
- SELinux Policy Analysis π§: Review security policies
- Security Feature Assessment π§: Evaluate hardening status
- AVC Denial Monitoring π§: Track access denials
- Application Scanning β : Check installed apps for suspicious indicators
- Permission Analysis β : Identify dangerous permission combinations
- Package Analysis β : Verify app signatures and sources
- System File Scanning π§: Check for compromised system files
- Network Malware Detection π§: Analyze connections for malicious activity
- YARA Integration π¬: Pattern matching (requires YARA installation)
- System Vulnerabilities π§: Check for known Android security issues
- App Vulnerabilities π§: Analyze installed apps for flaws
- Configuration Issues π§: Identify insecure settings
- TEE Analysis π§: Trusted Execution Environment assessment
- Hardware-Backed Keystore π§: Secure key storage analysis
- Secure Element Analysis π¬: eSE/UICC evaluation
- Biometric Hardware π§: Fingerprint/face recognition assessment
- Bootloader Assessment β : Lock status and OEM unlock detection
- Firmware Extraction π§: Partition dumping capabilities
- Boot Image Analysis π¬: Inspect boot images
- Verified Boot Status β : Check integrity verification
- Google Drive π¬: Synced data detection (limited extraction)
- Samsung Cloud π¬: Samsung account detection
- Cloud Configuration π§: Backup settings analysis
π¬ Note: These features are newly added and provide foundational analysis capabilities. As they are under active development, results may be incomplete. Some features generate reports based on available data analysis.
- Password Pattern Prediction π§: Statistical analysis-based password guessing
- Behavioral Anomaly Detection π§: Process and network anomaly identification
- Malware Classification π§: Pattern-based risk scoring
- User Activity Analysis π¬: App usage pattern detection
- Security Assessment π¬: Risk forecasting and posture evaluation
- Data Correlation π¬: Cross-reference extracted data
- Wallet Detection β : Identify crypto wallet apps (Coinbase, Binance, MetaMask, etc.)
- Wallet Data Extraction π§: Extract wallet app data (requires root)
- Transaction History π¬: Transaction data analysis
- Seed Phrase Recovery π¬: Attempt recovery (heavily encrypted)
- Private Key Extraction π¬: Key extraction attempts
- Exchange App Analysis π§: Forensics for exchange applications
- NFT & DeFi Analysis π¬: Token and protocol detection
- IOC Detection π§: Indicators of Compromise identification
- App Reputation Analysis π§: Check apps against threat databases
- URL/Domain Analysis π¬: Domain reputation (requires API keys)
- File Hash Lookup π¬: VirusTotal integration (requires API key)
- IP Reputation π¬: IP address checking
- CVE Vulnerability Check π¬: Known vulnerability detection
- Real-Time Threat Feeds π¬: Integration with VirusTotal, AlienVault OTX (requires API keys)
- Private Space Detection β : Identify Private Space usage
- User Profile Analysis β : Detect multiple isolated profiles
- Private App Listing π§: List apps in Private Space
- Data Extraction π§: Extract from isolated profiles (requires root)
- Security Analysis π§: Assess Private Space implementation
- Isolation Boundary Testing π¬: Test app isolation
- Credential Manager Detection β : Identify modern credential storage
- Passkey Data Extraction π§: Extract passkey metadata (requires root)
- WebAuthn Analysis π§: Analyze web authentication credentials
- FIDO2 Support π¬: Security key detection
- Biometric Binding π¬: Analyze passkey-biometric associations
- Device Scanning β : Detect all connected devices
- Parallel Information Gathering β : Simultaneous data collection
- Synchronized Extraction π§: Parallel data extraction
- Cross-Device Correlation π¬: Find relationships between devices
- Comparative Analysis π¬: Compare security postures
- Multi-Device Timeline π¬: Unified event reconstruction
- Executive Summary β : High-level reports for stakeholders
- Technical Reports β : Detailed technical analysis
- Timeline Reports π§: Event timeline reconstruction
- Security Assessment Reports β : Comprehensive security reports
- Evidence Collection Reports β : Chain of custody documentation
- Compliance Reports π¬: GDPR, HIPAA (template-based)
- Multiple Formats π¬: PDF/HTML export (requires pandoc)
- Live device activity monitoring
- Process activity dashboards
- Network traffic visualization
- System resource tracking
- Alert notifications
- Detect connected IoT devices
- Bluetooth LE device scanning
- Smart home protocol analysis
- IoT communication monitoring
- Security assessment
- Install community plugins
- Browse plugin marketplace
- Custom plugin development
- Plugin security scanning
- Auto-update capability
-
Operating System: macOS, Linux, Windows (WSL)
-
Shell: Bash-compatible environment
-
Android Device: ADB debugging enabled
-
Required:
- ADB (Android Debug Bridge)
- Android SDK Platform-Tools
- openssl for encryption features
-
Recommended:
- sqlite3 for database analysis (Android 10+)
- GNU Parallel for faster attacks
- tshark for network analysis
- Root access on device for advanced features
Memory Analysis:
- gdb/lldb for debugging capabilities
- valgrind for memory leak detection
Kernel Analysis:
- Kernel headers for inspection
- SELinux policy tools
Malware Analysis:
- ClamAV or similar antivirus
- YARA for pattern matching
Network Analysis:
- tcpdump for traffic capture
- nmap for network scanning
Threat Intelligence:
- VirusTotal API key
- AlienVault OTX API key
Reports:
- pandoc for PDF/HTML export
To use LockKnife : The Ultimate Android Security Research Tool, follow these steps:
-
Connect your Android device to your computer with USB debugging enabled.
-
Run the following command in your terminal:
bash -c "$(curl -fsSL https://raw.githubusercontent.com/ImKKingshuk/LockKnife/main/LockKnife.sh)"For advanced debugging and verbose output, use:
bash -c "$(curl -fsSL https://raw.githubusercontent.com/ImKKingshuk/LockKnife/main/LockKnife.sh)" -- --debugTo create a default configuration file:
bash -c "$(curl -fsSL https://raw.githubusercontent.com/ImKKingshuk/LockKnife/main/LockKnife.sh)" -- --create-config=~/.config/lockknife/lockknife.conf
Follow the on-screen prompts to select your device and choose the desired features.
LockKnife looks for configuration files in the following locations (in order):
./lockknife.conf(current directory)$HOME/.config/lockknife/lockknife.conf(user config directory)/etc/lockknife.conf(system-wide config)
You can also specify a custom config file using the --config=FILE command-line option.
See lockknife.conf for all 100+ configurable options including:
- Attack settings (wordlist, parallel jobs, PIN length)
- Forensics settings (snapshot directories, PCAP filters)
- App-specific extraction options
- Advanced analysis depth settings
- Threat intelligence API keys
- Report generation preferences
LockKnife : The Ultimate Android Security Research Tool is developed for research and educational purposes. It should be used responsibly and in compliance with all applicable laws and regulations. The developer of this tool is not responsible for any misuse or illegal activities conducted with this tool.
Password recovery tools should only be used for legitimate purposes and with proper authorization. Using such tools without proper authorization is illegal and a violation of privacy. Ensure proper authorization before using LockKnife for password recovery or data extraction. Always adhere to ethical hacking practices and comply with all applicable laws and regulations.
This project is licensed under the GPL-3.0-or-later License.