maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/mobile-pentesting/android-app-pentesting/shizuku-privileged-api.md

128 lines
5.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Shizuku Privileged API
{{#include ../../banners/hacktricks-training.md}}
Shizuku is an opensource service that **spawns a privileged Java process using `app_process`** and exposes selected **Android system APIs over Binder**.
Because the process is launched with the same **`shell` UID capabilities that ADB uses**, any application (or terminal) that binds to the exported AIDL interface can perform many actions that normally require **`WRITE_SECURE_SETTINGS`, `INSTALL_PACKAGES`, file I/O inside `/data`,** etc. **without rooting the device**.
Typical use cases:
* Security auditing from an un-rooted handset
* Removing bloatware / debloating system apps
* Collecting logs, Wi-Fi keys, process and socket information for blue-team/DFIR
* Automating device configuration from custom apps or shell scripts
---
## 1. Starting the privileged service
`moe.shizuku.privileged.api` can be started in three different ways the resulting Binder service behaves the same in all of them.
### 1.1 Wireless ADB (Android 11+)
1. Enable **Developer Options ➜ Wireless debugging** and pair the device.
2. Inside the Shizuku app select **“Start via Wireless debugging”** and copy the pairing code.
3. The service survives until the next reboot (wireless-debugging sessions are cleared on boot).
### 1.2 USB / local ADB one-liner
```bash
adb push start.sh \
/storage/emulated/0/Android/data/moe.shizuku.privileged.api/
# spawn the privileged process
adb shell sh /storage/emulated/0/Android/data/moe.shizuku.privileged.api/start.sh
```
The same script can be executed over a **network ADB** connection (`adb connect <IP>:5555`).
### 1.3 Rooted devices
If the device is already rooted run:
```bash
su -c sh /data/adb/shizuku/start.sh
```
### 1.4 Verifying that it is running
```bash
adb shell dumpsys activity service moe.shizuku.privileged.api | head
```
A successful start returns `Running services (1)` together with the PID of the privileged process.
---
## 2. Binding from an application
Third-party apps only need the following inside their `AndroidManifest.xml`:
```xml
<uses-permission android:name="moe.shizuku.manager.permission.API"/>
```
At runtime they obtain the binder:
```java
IBinder binder = ShizukuProvider.getBinder();
IPackageManager pm = IPackageManager.Stub.asInterface(binder);
```
From this moment the app can invoke any method that the **`shell` user** may call for example :
```java
pm.installPackage(new Uri("file:///sdcard/app.apk"), null, 0, null);
Settings.Global.putInt(resolver, Settings.Global.ADB_ENABLED, 1);
```
A curated list of more than **170 Shizuku-enabled apps** is maintained at [awesome-shizuku](https://github.com/timschneeb/awesome-shizuku).
---
## 3. Rish elevated shell inside Termux
The Shizuku settings screen exposes **“Use Shizuku in terminal apps”**. Enabling it downloads *rish* (`/data/local/tmp/rish`).
```bash
pkg install wget
wget https://rikka.app/rish/latest -O rish && chmod +x rish
# start elevated shell (inherits the binder connection)
./rish
whoami # ➜ shell
id # uid=2000(shell) gid=2000(shell) groups=... context=u:r:shell:s0
```
### 3.1 Useful commands from the rish shell
* List running processes of a given package:
```bash
ps -A | grep com.facebook.katana
```
* Enumerate listening sockets and map them to packages (e.g. **CVE-2019-6447 ES File Explorer**):
```bash
netstat -tuln
for pid in $(lsof -nP -iTCP -sTCP:LISTEN -t); do
printf "%s -> %s\n" "$pid" "$(cat /proc/$pid/cmdline)";
done
```
* Dump every applications logs:
```bash
logcat -d | grep -iE "(error|exception)"
```
* Read stored Wi-Fi credentials (Android 11 +):
```bash
cat /data/misc/wifi/WifiConfigStore.xml | grep -i "<ConfigKey>"
```
* Bulk debloat (example):
```bash
pm uninstall --user 0 com.miui.weather2
```
---
## 4. Security considerations / detection
1. Shizuku needs **ADB debugging** privileges, therefore _Developer Options → USB/Wireless debugging_ must be **enabled**.
Organisations can block this through an MDM or via `settings put global development_settings_enabled 0`.
2. The service registers itself under the name `moe.shizuku.privileged.api`.
A simple `adb shell service list | grep shizuku` (or Endpoint Security rule) detects its presence.
3. Capabilities are limited to what the `shell` user can already do it is **not root**.
Sensitive APIs that require the `system` or `root` user are still inaccessible.
4. Sessions do **not survive a reboot** unless the device is rooted and Shizuku is configured as a startup daemon.
---
## 5. Mitigation
* Disable USB/Wireless debugging on production devices.
* Monitor for Binder services exposing `moe.shizuku.privileged.api`.
* Use SELinux policies (Android enterprise) to block the AIDL interface from unmanaged applications.
---
## References
- [Blog Shizuku: Unlocking Advanced Android Capabilities Without Root](https://www.mobile-hacker.com/2025/07/14/shizuku-unlocking-advanced-android-capabilities-without-root/)
- [Shizuku Official Documentation](https://shizuku.rikka.app/)
- [awesome-shizuku list of supported apps](https://github.com/timschneeb/awesome-shizuku)
- [rish shell (privileged reverse-adb shell)](https://github.com/RikkaApps/Shizuku/blob/master/RISH.md)
{{#include ../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink