The Z.R.A.K. App

Zone Recon & Analysis Kit — a free Android network security toolkit for learning and exploration

What is Z.R.A.K.?

Z.R.A.K. (Zone Recon & Analysis Kit) is an Android application that provides real-time visibility into the wireless environment around you. It scans WiFi networks, Bluetooth devices, and local network devices, detects threats, and maintains a persistent history with geographic mapping.

All processing happens entirely on the device. No data is ever transmitted to any external server. Think of it as a flashlight for the invisible digital world — it reveals what exists without forcing any action.

For educators: Z.R.A.K. is designed to be used as a teaching tool. Basic Mode hides technical complexity, making it accessible for students. Advanced Mode exposes full details for deeper analysis. Both modes are safe — the app only observes, it never attacks or modifies any network.

Quick Facts

  • Free Android app (Android 12+)
  • 260+ built-in security tools
  • 100% on-device processing
  • No cloud, no tracking, no accounts
  • Basic Mode for beginners, Advanced for power users
  • SOC Mode for continuous monitoring
  • Export reports in JSON, CSV, Markdown, PDF
  • Built with Kotlin & Jetpack Compose

Two Operational Modes

Hands-on Investigation

RECON Mode

The default mode for active scanning and investigation. Seven tabs give access to:

  • Overview — Dashboard with network status and threat summary
  • WiFi — Nearby access points, connected network details, signal analysis
  • Bluetooth — BLE and Classic device scanning with risk scoring
  • Map — Geographic visualization of discovered devices and networks
  • Events — Chronological security event log with threat levels
  • Analyzer — Deep security analysis with threat scoring
  • Tools — Full toolkit of 260+ specialized security tools
Continuous Monitoring

SOC Mode

Security Operations Center mode for passive, continuous monitoring. Five tabs provide:

  • Environment — Situational awareness: location, mobility, RF density
  • Command — Live metrics dashboard with real-time counters
  • Inventory — Environmental integrity and baseline drift detection
  • Live Map — Network topology as an interactive force-directed graph
  • Operations — Incident correlation, severity scoring, evidence trails

SOC mode implements a 5-phase architecture: Ingestion, Autonomy (VoI engine), Integrity (drift detection), Cortex (orchestration), and Environment (situational awareness).

Device Recommendations for Classrooms

What works best depends on your budget and goals

Z.R.A.K. device compatibility tiers for classroom use
Tier Device Experience Best For
Tier 4 Rooted Google Pixel (6+) Full capability — all 260+ tools at maximum Dedicated lab setups, advanced classes
Tier 2 Google Pixel (non-rooted) Most tools work as designed, clean AOSP behavior Best balance for classroom use
Tier 1 Other Android (non-rooted) Functional but vendor modifications may limit some features BYOD scenarios, basic demonstrations

Minimum requirement: Android 12 (API 31) or newer. For classroom demonstrations, a single Google Pixel device is sufficient. For hands-on student labs, any Android 12+ device will work for the core WiFi and Bluetooth scanning exercises.

Key Capabilities

What students can explore with Z.R.A.K.

  • Detect ARP spoofing and man-in-the-middle attacks on local WiFi
  • Monitor for unauthorized port scanning via honeypot listeners
  • Track gateway MAC changes indicating network-level attacks
  • Detect evil twin / rogue access points via SSID and security analysis
  • Identify DNS spoofing by comparing system DNS against trusted resolvers
  • Monitor for rogue DHCP servers and DNS configuration changes
  • Validate TLS certificates (expiry, self-signed, CN mismatch, weak keys)
  • Establish network baselines and detect drift (new, missing, or changed devices)
  • Enumerate all devices on the local subnet (IP, MAC, hostname, vendor, OS fingerprint)
  • Catalog nearby WiFi APs with security type, signal strength, and location
  • Scan for Bluetooth Classic and BLE devices with manufacturer ID and service UUIDs
  • Active port scanning and service banner grabbing on discovered devices
  • mDNS and SSDP service discovery
  • Persistent history across sessions with device annotation
  • Detect devices exhibiting tracker-like behavior (consistent RSSI, long duration)
  • Score Bluetooth device risk based on behavioral factors
  • Alert on unsolicited pairing attempts from unknown devices
  • Random MAC address detection for identifying hidden trackers
  • Geo-tag WiFi networks and Bluetooth devices with GPS coordinates
  • Visualize device density and signal coverage on interactive maps
  • Build signal strength heatmaps of surveyed areas
  • Estimate WiFi AP physical locations using weighted centroid trilateration
  • WiFi channel congestion visualization across 2.4 GHz and 5 GHz bands
  • Network topology as interactive force-directed graph
  • Chronological security event log with threat scoring and confidence levels
  • Event timeline visualization with stacked threat-level charts
  • Structured incident reports in Markdown
  • Export in JSON, CSV, Markdown, PDF, CEF (ArcSight), Syslog (RFC 5424)
  • Full database backup and restore
  • Historical trend analytics (events/day, threats/day, device discovery rates)
  • 100% on-device processing — no data transmitted externally
  • No cloud services, no accounts, no telemetry
  • No monitor mode WiFi — uses only standard Android scan APIs
  • No raw sockets, iptables, or packet interception
  • No custom ROMs or kernels required
  • Observation only — the app never modifies any network

Basic & Advanced Mode

Progressive disclosure for different skill levels

Recommended for new students

Basic Mode

Hides technical complexity for a clean, accessible interface:

  • Signal shown as labels (Excellent/Good/Fair/Weak)
  • MAC addresses and BSSIDs hidden
  • Frequency, channel, TTL, OS fingerprints hidden
  • Threat scores and confidence levels hidden
  • Clean cards focused on what matters
For experienced students

Advanced Mode

Full technical detail for deeper analysis:

  • dBm values, BSSID, MAC addresses visible
  • TTL, OS fingerprints, frequency/channel data
  • Threat scores, confidence badges, risk scores
  • Device trust states (Trusted/Known/Unknown/Suspicious)
  • Derived metrics: event rate, threat density, RSSI volatility

Classroom Setup Checklist

  1. Use Android 12 or newer devices (required)
  2. Google Pixel recommended but any Android 12+ works
  3. Install Z.R.A.K. from the app store
  4. Disable battery optimization for Z.R.A.K. in device settings
  5. Grant all requested permissions (WiFi, Bluetooth, Location, Phone State)
  6. Start in Basic Mode for introductory lessons
  7. Switch to Advanced Mode as students progress
  8. Root access is optional — enhances MAC discovery and ARP tools but is not required for most labs