Merge pull request #1122 from HackTricks-wiki/update_Shizuku__Unlocking_Advanced_Android_Capabilities_W_20250714_124632

Shizuku Unlocking Advanced Android Capabilities Without Root
2025-10-10 18:36:50 +00:00 · 2025-07-15 12:41:27 +02:00 · 2025-07-15 12:41:27 +02:00 · fe6cf11722
commit fe6cf11722
parent 89503b1c9d 10b6790c7a
3 changed files with 129 additions and 0 deletions
--- a/src/SUMMARY.md
+++ b/src/SUMMARY.md
@ -337,6 +337,7 @@
  - [Manual DeObfuscation](mobile-pentesting/android-app-pentesting/manual-deobfuscation.md)
  - [React Native Application](mobile-pentesting/android-app-pentesting/react-native-application.md)
  - [Reversing Native Libraries](mobile-pentesting/android-app-pentesting/reversing-native-libraries.md)
+  - [Shizuku Privileged Api](mobile-pentesting/android-app-pentesting/shizuku-privileged-api.md)
  - [Smali - Decompiling, Modifying, Compiling](mobile-pentesting/android-app-pentesting/smali-changes.md)
  - [Spoofing your location in Play Store](mobile-pentesting/android-app-pentesting/spoofing-your-location-in-play-store.md)
  - [Tapjacking](mobile-pentesting/android-app-pentesting/tapjacking.md)
--- a/src/mobile-pentesting/android-app-pentesting/README.md
+++ b/src/mobile-pentesting/android-app-pentesting/README.md
@ -25,6 +25,7 @@ Sometimes it is interesting to **modify the application code** to access **hidde
 ## Other interesting tricks

 - [Spoofing your location in Play Store](spoofing-your-location-in-play-store.md)
+- [Shizuku Privileged API (ADB-based non-root privileged access)](shizuku-privileged-api.md)
 - **Download APKs**: [https://apps.evozi.com/apk-downloader/](https://apps.evozi.com/apk-downloader/), [https://apkpure.com/es/](https://apkpure.com/es/), [https://www.apkmirror.com/](https://www.apkmirror.com), [https://apkcombo.com/es-es/apk-downloader/](https://apkcombo.com/es-es/apk-downloader/), [https://github.com/kiber-io/apkd](https://github.com/kiber-io/apkd)
 - Extract APK from device:

--- a/src/mobile-pentesting/android-app-pentesting/shizuku-privileged-api.md
+++ b/src/mobile-pentesting/android-app-pentesting/shizuku-privileged-api.md
@ -0,0 +1,127 @@
+# Shizuku Privileged API
+
+{{#include ../../banners/hacktricks-training.md}}
+
+Shizuku is an open–source service that **spawns a privileged Java process using `app_process`** and exposes selected **Android system APIs over Binder**.  
+Because the process is launched with the same **`shell` UID capabilities that ADB uses**, any application (or terminal) that binds to the exported AIDL interface can perform many actions that normally require **`WRITE_SECURE_SETTINGS`, `INSTALL_PACKAGES`, file I/O inside `/data`,** etc. – **without rooting the device**.
+
+Typical use cases:
+* Security auditing from an un-rooted handset
+* Removing bloatware / debloating system apps
+* Collecting logs, Wi-Fi keys, process and socket information for blue-team/DFIR
+* Automating device configuration from custom apps or shell scripts
+
+---
+## 1. Starting the privileged service
+
+`moe.shizuku.privileged.api` can be started in three different ways – the resulting Binder service behaves the same in all of them.
+
+### 1.1 Wireless ADB (Android 11+)
+1. Enable **Developer Options ➜ Wireless debugging** and pair the device.
+2. Inside the Shizuku app select **“Start via Wireless debugging”** and copy the pairing code.
+3. The service survives until the next reboot (wireless-debugging sessions are cleared on boot).
+
+### 1.2 USB / local ADB one-liner
+```bash
+adb push start.sh \
+  /storage/emulated/0/Android/data/moe.shizuku.privileged.api/
+
+# spawn the privileged process
+adb shell sh /storage/emulated/0/Android/data/moe.shizuku.privileged.api/start.sh
+```
+The same script can be executed over a **network ADB** connection (`adb connect <IP>:5555`).
+
+### 1.3 Rooted devices
+If the device is already rooted run:
+```bash
+su -c sh /data/adb/shizuku/start.sh
+```
+
+### 1.4 Verifying that it is running
+```bash
+adb shell dumpsys activity service moe.shizuku.privileged.api | head
+```
+A successful start returns `Running services (1)` together with the PID of the privileged process.
+
+---
+## 2. Binding from an application
+Third-party apps only need the following inside their `AndroidManifest.xml`:
+```xml
+<uses-permission android:name="moe.shizuku.manager.permission.API"/>
+```
+At runtime they obtain the binder:
+```java
+IBinder binder = ShizukuProvider.getBinder();
+IPackageManager pm  = IPackageManager.Stub.asInterface(binder);
+```
+From this moment the app can invoke any method that the **`shell` user** may call – for example :
+```java
+pm.installPackage(new Uri("file:///sdcard/app.apk"), null, 0, null);
+Settings.Global.putInt(resolver, Settings.Global.ADB_ENABLED, 1);
+```
+A curated list of more than **170 Shizuku-enabled apps** is maintained at [awesome-shizuku](https://github.com/timschneeb/awesome-shizuku).
+
+---
+## 3. Rish – elevated shell inside Termux
+The Shizuku settings screen exposes **“Use Shizuku in terminal apps”**. Enabling it downloads *rish* (`/data/local/tmp/rish`).
+
+```bash
+pkg install wget
+wget https://rikka.app/rish/latest -O rish && chmod +x rish
+
+# start elevated shell (inherits the binder connection)
+./rish
+whoami   #  ➜  shell
+id       #  uid=2000(shell) gid=2000(shell) groups=... context=u:r:shell:s0
+```
+
+### 3.1 Useful commands from the rish shell
+* List running processes of a given package:
+  ```bash
+  ps -A | grep com.facebook.katana
+  ```
+* Enumerate listening sockets and map them to packages (e.g. **CVE-2019-6447 ES File Explorer**):
+  ```bash
+  netstat -tuln
+  for pid in $(lsof -nP -iTCP -sTCP:LISTEN -t); do
+      printf "%s -> %s\n" "$pid" "$(cat /proc/$pid/cmdline)";
+  done
+  ```
+* Dump every application’s logs:
+  ```bash
+  logcat -d | grep -iE "(error|exception)"
+  ```
+* Read stored Wi-Fi credentials (Android 11 +):
+  ```bash
+  cat /data/misc/wifi/WifiConfigStore.xml | grep -i "<ConfigKey>"
+  ```
+* Bulk debloat (example):
+  ```bash
+  pm uninstall --user 0 com.miui.weather2
+  ```
+
+---
+## 4. Security considerations / detection
+1. Shizuku needs **ADB debugging** privileges, therefore _Developer Options → USB/Wireless debugging_ must be **enabled**.  
+   Organisations can block this through an MDM or via `settings put global development_settings_enabled 0`.
+2. The service registers itself under the name `moe.shizuku.privileged.api`.  
+   A simple `adb shell service list | grep shizuku` (or Endpoint Security rule) detects its presence.
+3. Capabilities are limited to what the `shell` user can already do – it is **not root**.  
+   Sensitive APIs that require the `system` or `root` user are still inaccessible.
+4. Sessions do **not survive a reboot** unless the device is rooted and Shizuku is configured as a startup daemon.
+
+---
+## 5. Mitigation
+* Disable USB/Wireless debugging on production devices.
+* Monitor for Binder services exposing `moe.shizuku.privileged.api`.
+* Use SELinux policies (Android enterprise) to block the AIDL interface from unmanaged applications.
+
+---
+## References
+
+- [Blog – Shizuku: Unlocking Advanced Android Capabilities Without Root](https://www.mobile-hacker.com/2025/07/14/shizuku-unlocking-advanced-android-capabilities-without-root/)
+- [Shizuku Official Documentation](https://shizuku.rikka.app/)
+- [awesome-shizuku – list of supported apps](https://github.com/timschneeb/awesome-shizuku)
+- [rish shell (privileged reverse-adb shell)](https://github.com/RikkaApps/Shizuku/blob/master/RISH.md)
+
+{{#include ../../banners/hacktricks-training.md}}