From 10b6790c7a963c4b005d8baf2bc50ec2cae947a9 Mon Sep 17 00:00:00 2001
From: HackTricks News Bot <bot@hacktricks.xyz>
Date: Mon, 14 Jul 2025 12:49:08 +0000
Subject: [PATCH] Add content from: Shizuku: Unlocking Advanced Android
 Capabilities Without Roo...

---
 src/SUMMARY.md                                |   1 +
 ...nexmon-monitor-and-injection-on-android.md |   4 +-
 .../android-app-pentesting/README.md          |   1 +
 .../shizuku-privileged-api.md                 | 127 ++++++++++++++++++
 .../ios-pentesting-without-jailbreak.md       |   2 +-
 .../pentesting-telnet.md                      |   2 +-
 6 files changed, 133 insertions(+), 4 deletions(-)
 create mode 100644 src/mobile-pentesting/android-app-pentesting/shizuku-privileged-api.md

diff --git a/src/SUMMARY.md b/src/SUMMARY.md
index 93b6e3273..737423458 100644
--- a/src/SUMMARY.md
+++ b/src/SUMMARY.md
@@ -337,6 +337,7 @@
   - [Manual DeObfuscation](mobile-pentesting/android-app-pentesting/manual-deobfuscation.md)
   - [React Native Application](mobile-pentesting/android-app-pentesting/react-native-application.md)
   - [Reversing Native Libraries](mobile-pentesting/android-app-pentesting/reversing-native-libraries.md)
+  - [Shizuku Privileged Api](mobile-pentesting/android-app-pentesting/shizuku-privileged-api.md)
   - [Smali - Decompiling, Modifying, Compiling](mobile-pentesting/android-app-pentesting/smali-changes.md)
   - [Spoofing your location in Play Store](mobile-pentesting/android-app-pentesting/spoofing-your-location-in-play-store.md)
   - [Tapjacking](mobile-pentesting/android-app-pentesting/tapjacking.md)
diff --git a/src/generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md b/src/generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md
index 2ee072b12..9c74b3b41 100644
--- a/src/generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md
+++ b/src/generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md
@@ -22,7 +22,7 @@ The same technique applies to any handset that has a publicly available NexMon p
 * NexMon Magisk ZIP or self-compiled patch providing:
   * `/system/lib*/libnexmon.so`
   * `/system/xbin/nexutil`
-* Hijacker ≥ 1.7 (arm/arm64) – https://github.com/chrisk44/Hijacker
+* Hijacker ≥ 1.7 (arm/arm64) – [https://github.com/chrisk44/Hijacker](https://github.com/chrisk44/Hijacker)
 * (Optional) Kali NetHunter or any Linux chroot where you intend to run wireless tools
 
 ---
@@ -130,4 +130,4 @@ Performance on the Galaxy S10 is comparable to external USB NICs (~20 dBm TX, 2-
 * [NexMon – firmware patching framework](https://github.com/seemoo-lab/nexmon)
 * [Hijacker (aircrack-ng GUI for Android)](https://github.com/chrisk44/Hijacker)
 
-{{#include ../../banners/hacktricks-training.md}}
\ No newline at end of file
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/src/mobile-pentesting/android-app-pentesting/README.md b/src/mobile-pentesting/android-app-pentesting/README.md
index 627944cd8..1b0db1992 100644
--- a/src/mobile-pentesting/android-app-pentesting/README.md
+++ b/src/mobile-pentesting/android-app-pentesting/README.md
@@ -25,6 +25,7 @@ Sometimes it is interesting to **modify the application code** to access **hidde
 ## Other interesting tricks
 
 - [Spoofing your location in Play Store](spoofing-your-location-in-play-store.md)
+- [Shizuku Privileged API (ADB-based non-root privileged access)](shizuku-privileged-api.md)
 - **Download APKs**: [https://apps.evozi.com/apk-downloader/](https://apps.evozi.com/apk-downloader/), [https://apkpure.com/es/](https://apkpure.com/es/), [https://www.apkmirror.com/](https://www.apkmirror.com), [https://apkcombo.com/es-es/apk-downloader/](https://apkcombo.com/es-es/apk-downloader/), [https://github.com/kiber-io/apkd](https://github.com/kiber-io/apkd)
 - Extract APK from device:
 
diff --git a/src/mobile-pentesting/android-app-pentesting/shizuku-privileged-api.md b/src/mobile-pentesting/android-app-pentesting/shizuku-privileged-api.md
new file mode 100644
index 000000000..87998d376
--- /dev/null
+++ b/src/mobile-pentesting/android-app-pentesting/shizuku-privileged-api.md
@@ -0,0 +1,127 @@
+# Shizuku Privileged API
+
+{{#include ../../banners/hacktricks-training.md}}
+
+Shizuku is an open–source service that **spawns a privileged Java process using `app_process`** and exposes selected **Android system APIs over Binder**.  
+Because the process is launched with the same **`shell` UID capabilities that ADB uses**, any application (or terminal) that binds to the exported AIDL interface can perform many actions that normally require **`WRITE_SECURE_SETTINGS`, `INSTALL_PACKAGES`, file I/O inside `/data`,** etc. – **without rooting the device**.
+
+Typical use cases:
+* Security auditing from an un-rooted handset
+* Removing bloatware / debloating system apps
+* Collecting logs, Wi-Fi keys, process and socket information for blue-team/DFIR
+* Automating device configuration from custom apps or shell scripts
+
+---
+## 1. Starting the privileged service
+
+`moe.shizuku.privileged.api` can be started in three different ways – the resulting Binder service behaves the same in all of them.
+
+### 1.1 Wireless ADB (Android 11+)
+1. Enable **Developer Options ➜ Wireless debugging** and pair the device.
+2. Inside the Shizuku app select **“Start via Wireless debugging”** and copy the pairing code.
+3. The service survives until the next reboot (wireless-debugging sessions are cleared on boot).
+
+### 1.2 USB / local ADB one-liner
+```bash
+adb push start.sh \
+  /storage/emulated/0/Android/data/moe.shizuku.privileged.api/
+
+# spawn the privileged process
+adb shell sh /storage/emulated/0/Android/data/moe.shizuku.privileged.api/start.sh
+```
+The same script can be executed over a **network ADB** connection (`adb connect <IP>:5555`).
+
+### 1.3 Rooted devices
+If the device is already rooted run:
+```bash
+su -c sh /data/adb/shizuku/start.sh
+```
+
+### 1.4 Verifying that it is running
+```bash
+adb shell dumpsys activity service moe.shizuku.privileged.api | head
+```
+A successful start returns `Running services (1)` together with the PID of the privileged process.
+
+---
+## 2. Binding from an application
+Third-party apps only need the following inside their `AndroidManifest.xml`:
+```xml
+<uses-permission android:name="moe.shizuku.manager.permission.API"/>
+```
+At runtime they obtain the binder:
+```java
+IBinder binder = ShizukuProvider.getBinder();
+IPackageManager pm  = IPackageManager.Stub.asInterface(binder);
+```
+From this moment the app can invoke any method that the **`shell` user** may call – for example :
+```java
+pm.installPackage(new Uri("file:///sdcard/app.apk"), null, 0, null);
+Settings.Global.putInt(resolver, Settings.Global.ADB_ENABLED, 1);
+```
+A curated list of more than **170 Shizuku-enabled apps** is maintained at [awesome-shizuku](https://github.com/timschneeb/awesome-shizuku).
+
+---
+## 3. Rish – elevated shell inside Termux
+The Shizuku settings screen exposes **“Use Shizuku in terminal apps”**. Enabling it downloads *rish* (`/data/local/tmp/rish`).
+
+```bash
+pkg install wget
+wget https://rikka.app/rish/latest -O rish && chmod +x rish
+
+# start elevated shell (inherits the binder connection)
+./rish
+whoami   #  ➜  shell
+id       #  uid=2000(shell) gid=2000(shell) groups=... context=u:r:shell:s0
+```
+
+### 3.1 Useful commands from the rish shell
+* List running processes of a given package:
+  ```bash
+  ps -A | grep com.facebook.katana
+  ```
+* Enumerate listening sockets and map them to packages (e.g. **CVE-2019-6447 ES File Explorer**):
+  ```bash
+  netstat -tuln
+  for pid in $(lsof -nP -iTCP -sTCP:LISTEN -t); do
+      printf "%s -> %s\n" "$pid" "$(cat /proc/$pid/cmdline)";
+  done
+  ```
+* Dump every application’s logs:
+  ```bash
+  logcat -d | grep -iE "(error|exception)"
+  ```
+* Read stored Wi-Fi credentials (Android 11 +):
+  ```bash
+  cat /data/misc/wifi/WifiConfigStore.xml | grep -i "<ConfigKey>"
+  ```
+* Bulk debloat (example):
+  ```bash
+  pm uninstall --user 0 com.miui.weather2
+  ```
+
+---
+## 4. Security considerations / detection
+1. Shizuku needs **ADB debugging** privileges, therefore _Developer Options → USB/Wireless debugging_ must be **enabled**.  
+   Organisations can block this through an MDM or via `settings put global development_settings_enabled 0`.
+2. The service registers itself under the name `moe.shizuku.privileged.api`.  
+   A simple `adb shell service list | grep shizuku` (or Endpoint Security rule) detects its presence.
+3. Capabilities are limited to what the `shell` user can already do – it is **not root**.  
+   Sensitive APIs that require the `system` or `root` user are still inaccessible.
+4. Sessions do **not survive a reboot** unless the device is rooted and Shizuku is configured as a startup daemon.
+
+---
+## 5. Mitigation
+* Disable USB/Wireless debugging on production devices.
+* Monitor for Binder services exposing `moe.shizuku.privileged.api`.
+* Use SELinux policies (Android enterprise) to block the AIDL interface from unmanaged applications.
+
+---
+## References
+
+- [Blog – Shizuku: Unlocking Advanced Android Capabilities Without Root](https://www.mobile-hacker.com/2025/07/14/shizuku-unlocking-advanced-android-capabilities-without-root/)
+- [Shizuku Official Documentation](https://shizuku.rikka.app/)
+- [awesome-shizuku – list of supported apps](https://github.com/timschneeb/awesome-shizuku)
+- [rish shell (privileged reverse-adb shell)](https://github.com/RikkaApps/Shizuku/blob/master/RISH.md)
+
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md b/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md
index 791da2761..1f226fae0 100644
--- a/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md
+++ b/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md
@@ -106,7 +106,7 @@ Recent Frida releases (>=16) automatically handle pointer authentication and oth
 
 ### Automated dynamic analysis with MobSF (no jailbreak)
 
-[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:
+[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:
 
 ```bash
 docker pull opensecurity/mobile-security-framework-mobsf:latest
diff --git a/src/network-services-pentesting/pentesting-telnet.md b/src/network-services-pentesting/pentesting-telnet.md
index 31ca7a6ae..5eb9580d6 100644
--- a/src/network-services-pentesting/pentesting-telnet.md
+++ b/src/network-services-pentesting/pentesting-telnet.md
@@ -139,4 +139,4 @@ After a shell is obtained remember that **TTYs are usually dumb**; upgrade with
 
 
 
-{{#include /banners/hacktricks-training.md}}
+{{#include ../banners/hacktricks-training.md}}