Skip to content

LockKnife - Android Security Research Toolkit Cheatsheet

LockKnife - Android Security Research Toolkit Cheatsheet

LockKnife is a unified toolkit for Android security research and forensics, offering both a case-driven TUI workspace and a headless CLI. It orchestrates extraction, credential recovery, APK analysis, runtime instrumentation, and reporting from a single modular framework, powered by Python with a Rust-accelerated core. It targets modern Android (including passkey artifacts on Android 14+ and Private Space on Android 15+).

Authorized use only. Credential recovery and runtime instrumentation are powerful and legally sensitive. Use LockKnife strictly on devices and apps you own or are explicitly authorized to test. Unauthorized access is illegal.

Requirements

  • ADB (Android Debug Bridge) installed and on PATH
  • USB debugging enabled on the target device (or an emulator)
  • Python 3.x; Frida for runtime instrumentation features

Installation

MethodCommand
pippip install lockknife
From sourcegit clone https://github.com/ImKKingshuk/LockKnife && cd LockKnife && pip install -e .
Launch TUIlockknife
Headless CLIlockknife --help

Modes

ModeUse
TUI workspaceCase-driven interactive investigation
Headless CLIScriptable/automated tasks and pipelines

Device & Case Basics

CommandDescription
adb devicesConfirm the device is connected first
lockknife case new <name>Create an investigation case
lockknife case listList cases
lockknife device infoShow device/build/security details
lockknife extractPull artifacts into the current case

APK Analysis

CommandDescription
lockknife apk analyze app.apkStatic analysis of an APK
lockknife apk manifest app.apkDump the AndroidManifest
lockknife apk permissions app.apkList requested permissions
lockknife apk strings app.apkExtract strings/secrets
lockknife apk certs app.apkInspect signing certificates

Runtime Instrumentation (Frida)

CommandDescription
lockknife runtime hook <package>Attach and hook a running app
lockknife runtime bypass-ssl <package>SSL pinning bypass (authorized testing)
lockknife runtime dump-mem <package>Dump process memory
lockknife runtime trace <package>Trace API calls

Artifact & Credential Forensics

CommandDescription
lockknife artifacts scanScan pulled data for credentials/tokens
lockknife artifacts passkeysAnalyze passkey artifacts (Android 14+)
lockknife artifacts private-spaceInspect Private Space (Android 15+)
lockknife reportGenerate a case report

Common Workflows

# Authorized assessment: open a case, pull artifacts, analyze an APK
adb devices
lockknife case new pentest-2026
lockknife extract
lockknife apk analyze target.apk

# Dynamic testing on an app you're authorized to assess
lockknife runtime hook com.example.target
lockknife runtime trace com.example.target

# Produce a report for the case
lockknife report --case pentest-2026 --format pdf

LockKnife vs Other Mobile Tools

AspectLockKnifeobjectionMobSF
InterfaceTUI + CLIFrida REPLWeb UI
ScopeResearch + forensics + recoveryRuntime explorationStatic + dynamic analysis
Case managementYesNoReports
Best forEnd-to-end Android researchQuick runtime hookingApp security assessment

Resources