LockKnife is a unified toolkit for Android security research and forensics, offering both a case-driven TUI workspace and a headless CLI. It orchestrates extraction, credential recovery, APK analysis, runtime instrumentation, and reporting from a single modular framework, powered by Python with a Rust-accelerated core. It targets modern Android (including passkey artifacts on Android 14+ and Private Space on Android 15+).
Authorized use only. Credential recovery and runtime instrumentation are powerful and legally sensitive. Use LockKnife strictly on devices and apps you own or are explicitly authorized to test. Unauthorized access is illegal.
Requirements
- ADB (Android Debug Bridge) installed and on PATH
- USB debugging enabled on the target device (or an emulator)
- Python 3.x; Frida for runtime instrumentation features
Installation
| Method | Command |
|---|
| pip | pip install lockknife |
| From source | git clone https://github.com/ImKKingshuk/LockKnife && cd LockKnife && pip install -e . |
| Launch TUI | lockknife |
| Headless CLI | lockknife --help |
Modes
| Mode | Use |
|---|
| TUI workspace | Case-driven interactive investigation |
| Headless CLI | Scriptable/automated tasks and pipelines |
Device & Case Basics
| Command | Description |
|---|
adb devices | Confirm the device is connected first |
lockknife case new <name> | Create an investigation case |
lockknife case list | List cases |
lockknife device info | Show device/build/security details |
lockknife extract | Pull artifacts into the current case |
APK Analysis
| Command | Description |
|---|
lockknife apk analyze app.apk | Static analysis of an APK |
lockknife apk manifest app.apk | Dump the AndroidManifest |
lockknife apk permissions app.apk | List requested permissions |
lockknife apk strings app.apk | Extract strings/secrets |
lockknife apk certs app.apk | Inspect signing certificates |
Runtime Instrumentation (Frida)
| Command | Description |
|---|
lockknife runtime hook <package> | Attach and hook a running app |
lockknife runtime bypass-ssl <package> | SSL pinning bypass (authorized testing) |
lockknife runtime dump-mem <package> | Dump process memory |
lockknife runtime trace <package> | Trace API calls |
Artifact & Credential Forensics
| Command | Description |
|---|
lockknife artifacts scan | Scan pulled data for credentials/tokens |
lockknife artifacts passkeys | Analyze passkey artifacts (Android 14+) |
lockknife artifacts private-space | Inspect Private Space (Android 15+) |
lockknife report | Generate a case report |
Common Workflows
# Authorized assessment: open a case, pull artifacts, analyze an APK
adb devices
lockknife case new pentest-2026
lockknife extract
lockknife apk analyze target.apk
# Dynamic testing on an app you're authorized to assess
lockknife runtime hook com.example.target
lockknife runtime trace com.example.target
# Produce a report for the case
lockknife report --case pentest-2026 --format pdf
| Aspect | LockKnife | objection | MobSF |
|---|
| Interface | TUI + CLI | Frida REPL | Web UI |
| Scope | Research + forensics + recovery | Runtime exploration | Static + dynamic analysis |
| Case management | Yes | No | Reports |
| Best for | End-to-end Android research | Quick runtime hooking | App security assessment |
Resources