Shizuku Privileged API

Reading time: 5 minutes

Shizuku is an open–source service that spawns a privileged Java process using app_process and exposes selected Android system APIs over Binder.
Because the process is launched with the same shell UID capabilities that ADB uses, any application (or terminal) that binds to the exported AIDL interface can perform many actions that normally require WRITE_SECURE_SETTINGS, INSTALL_PACKAGES, file I/O inside /data, etc. – without rooting the device.

Typical use cases:

• Security auditing from an un-rooted handset
• Removing bloatware / debloating system apps
• Collecting logs, Wi-Fi keys, process and socket information for blue-team/DFIR
• Automating device configuration from custom apps or shell scripts

1. Starting the privileged service

moe.shizuku.privileged.api can be started in three different ways – the resulting Binder service behaves the same in all of them.

1.1 Wireless ADB (Android 11+)

1. Enable Developer Options ➜ Wireless debugging and pair the device.
2. Inside the Shizuku app select “Start via Wireless debugging” and copy the pairing code.
3. The service survives until the next reboot (wireless-debugging sessions are cleared on boot).

1.2 USB / local ADB one-liner

adb push start.sh \
  /storage/emulated/0/Android/data/moe.shizuku.privileged.api/

# spawn the privileged process
adb shell sh /storage/emulated/0/Android/data/moe.shizuku.privileged.api/start.sh

The same script can be executed over a network ADB connection (adb connect <IP>:5555).

1.3 Rooted devices

If the device is already rooted run:

su -c sh /data/adb/shizuku/start.sh

1.4 Verifying that it is running

adb shell dumpsys activity service moe.shizuku.privileged.api | head

A successful start returns Running services (1) together with the PID of the privileged process.

2. Binding from an application

Third-party apps only need the following inside their AndroidManifest.xml:

<uses-permission android:name="moe.shizuku.manager.permission.API"/>

At runtime they obtain the binder:

IBinder binder = ShizukuProvider.getBinder();
IPackageManager pm  = IPackageManager.Stub.asInterface(binder);

From this moment the app can invoke any method that the shell user may call – for example :

pm.installPackage(new Uri("file:///sdcard/app.apk"), null, 0, null);
Settings.Global.putInt(resolver, Settings.Global.ADB_ENABLED, 1);

A curated list of more than 170 Shizuku-enabled apps is maintained at awesome-shizuku.

3. Rish – elevated shell inside Termux

The Shizuku settings screen exposes “Use Shizuku in terminal apps”. Enabling it downloads rish (/data/local/tmp/rish).

pkg install wget
wget https://rikka.app/rish/latest -O rish && chmod +x rish

# start elevated shell (inherits the binder connection)
./rish
whoami   #  ➜  shell
id       #  uid=2000(shell) gid=2000(shell) groups=... context=u:r:shell:s0

3.1 Useful commands from the rish shell

• List running processes of a given package:

  ps -A | grep com.facebook.katana
  

• Enumerate listening sockets and map them to packages (e.g. CVE-2019-6447 ES File Explorer):

  netstat -tuln
  for pid in $(lsof -nP -iTCP -sTCP:LISTEN -t); do
      printf "%s -> %s\n" "$pid" "$(cat /proc/$pid/cmdline)";
  done
  

• Dump every application’s logs:

  logcat -d | grep -iE "(error|exception)"
  

• Read stored Wi-Fi credentials (Android 11 +):

  cat /data/misc/wifi/WifiConfigStore.xml | grep -i "<ConfigKey>"
  

• Bulk debloat (example):

  pm uninstall --user 0 com.miui.weather2
  

4. Security considerations / detection

1. Shizuku needs ADB debugging privileges, therefore Developer Options → USB/Wireless debugging must be enabled.
   Organisations can block this through an MDM or via settings put global development_settings_enabled 0.
2. The service registers itself under the name moe.shizuku.privileged.api.
   A simple adb shell service list | grep shizuku (or Endpoint Security rule) detects its presence.
3. Capabilities are limited to what the shell user can already do – it is not root.
   Sensitive APIs that require the system or root user are still inaccessible.
4. Sessions do not survive a reboot unless the device is rooted and Shizuku is configured as a startup daemon.

5. Mitigation

• Disable USB/Wireless debugging on production devices.
• Monitor for Binder services exposing moe.shizuku.privileged.api.
• Use SELinux policies (Android enterprise) to block the AIDL interface from unmanaged applications.

References

• Blog – Shizuku: Unlocking Advanced Android Capabilities Without Root
• Shizuku Official Documentation
• awesome-shizuku – list of supported apps
• rish shell (privileged reverse-adb shell)