# Shizuku Privileged API

{{#include ../../banners/hacktricks-training.md}}

Shizuku is an open–source service that **spawns a privileged Java process using `app_process`** and exposes selected **Android system APIs over Binder**.  
Because the process is launched with the same **`shell` UID capabilities that ADB uses**, any application (or terminal) that binds to the exported AIDL interface can perform many actions that normally require **`WRITE_SECURE_SETTINGS`, `INSTALL_PACKAGES`, file I/O inside `/data`,** etc. – **without rooting the device**.

Typical use cases:
* Security auditing from an un-rooted handset
* Removing bloatware / debloating system apps
* Collecting logs, Wi-Fi keys, process and socket information for blue-team/DFIR
* Automating device configuration from custom apps or shell scripts

---
## 1. Starting the privileged service

`moe.shizuku.privileged.api` can be started in three different ways – the resulting Binder service behaves the same in all of them.

### 1.1 Wireless ADB (Android 11+)
1. Enable **Developer Options ➜ Wireless debugging** and pair the device.
2. Inside the Shizuku app select **“Start via Wireless debugging”** and copy the pairing code.
3. The service survives until the next reboot (wireless-debugging sessions are cleared on boot).

### 1.2 USB / local ADB one-liner
```bash
adb push start.sh \
  /storage/emulated/0/Android/data/moe.shizuku.privileged.api/

# spawn the privileged process
adb shell sh /storage/emulated/0/Android/data/moe.shizuku.privileged.api/start.sh
```
The same script can be executed over a **network ADB** connection (`adb connect <IP>:5555`).

### 1.3 Rooted devices
If the device is already rooted run:
```bash
su -c sh /data/adb/shizuku/start.sh
```

### 1.4 Verifying that it is running
```bash
adb shell dumpsys activity service moe.shizuku.privileged.api | head
```
A successful start returns `Running services (1)` together with the PID of the privileged process.

---
## 2. Binding from an application
Third-party apps only need the following inside their `AndroidManifest.xml`:
```xml
<uses-permission android:name="moe.shizuku.manager.permission.API"/>
```
At runtime they obtain the binder:
```java
IBinder binder = ShizukuProvider.getBinder();
IPackageManager pm  = IPackageManager.Stub.asInterface(binder);
```
From this moment the app can invoke any method that the **`shell` user** may call – for example :
```java
pm.installPackage(new Uri("file:///sdcard/app.apk"), null, 0, null);
Settings.Global.putInt(resolver, Settings.Global.ADB_ENABLED, 1);
```
A curated list of more than **170 Shizuku-enabled apps** is maintained at [awesome-shizuku](https://github.com/timschneeb/awesome-shizuku).

---
## 3. Rish – elevated shell inside Termux
The Shizuku settings screen exposes **“Use Shizuku in terminal apps”**. Enabling it downloads *rish* (`/data/local/tmp/rish`).

```bash
pkg install wget
wget https://rikka.app/rish/latest -O rish && chmod +x rish

# start elevated shell (inherits the binder connection)
./rish
whoami   #  ➜  shell
id       #  uid=2000(shell) gid=2000(shell) groups=... context=u:r:shell:s0
```

### 3.1 Useful commands from the rish shell
* List running processes of a given package:
  ```bash
  ps -A | grep com.facebook.katana
  ```
* Enumerate listening sockets and map them to packages (e.g. **CVE-2019-6447 ES File Explorer**):
  ```bash
  netstat -tuln
  for pid in $(lsof -nP -iTCP -sTCP:LISTEN -t); do
      printf "%s -> %s\n" "$pid" "$(cat /proc/$pid/cmdline)";
  done
  ```
* Dump every application’s logs:
  ```bash
  logcat -d | grep -iE "(error|exception)"
  ```
* Read stored Wi-Fi credentials (Android 11 +):
  ```bash
  cat /data/misc/wifi/WifiConfigStore.xml | grep -i "<ConfigKey>"
  ```
* Bulk debloat (example):
  ```bash
  pm uninstall --user 0 com.miui.weather2
  ```

---
## 4. Security considerations / detection
1. Shizuku needs **ADB debugging** privileges, therefore _Developer Options → USB/Wireless debugging_ must be **enabled**.  
   Organisations can block this through an MDM or via `settings put global development_settings_enabled 0`.
2. The service registers itself under the name `moe.shizuku.privileged.api`.  
   A simple `adb shell service list | grep shizuku` (or Endpoint Security rule) detects its presence.
3. Capabilities are limited to what the `shell` user can already do – it is **not root**.  
   Sensitive APIs that require the `system` or `root` user are still inaccessible.
4. Sessions do **not survive a reboot** unless the device is rooted and Shizuku is configured as a startup daemon.

---
## 5. Mitigation
* Disable USB/Wireless debugging on production devices.
* Monitor for Binder services exposing `moe.shizuku.privileged.api`.
* Use SELinux policies (Android enterprise) to block the AIDL interface from unmanaged applications.

---
## References

- [Blog – Shizuku: Unlocking Advanced Android Capabilities Without Root](https://www.mobile-hacker.com/2025/07/14/shizuku-unlocking-advanced-android-capabilities-without-root/)
- [Shizuku Official Documentation](https://shizuku.rikka.app/)
- [awesome-shizuku – list of supported apps](https://github.com/timschneeb/awesome-shizuku)
- [rish shell (privileged reverse-adb shell)](https://github.com/RikkaApps/Shizuku/blob/master/RISH.md)

{{#include ../../banners/hacktricks-training.md}}