Skip to main content

Run-As Like the Wind: Getting private app data off non-rooted devices using adb run-as and a debuggable app

"You're some kind of big, fat, smart-bug aren't you?"
~Johnny Rico, Starship Troopers (1997)
One of the most important things about writing bugs is making them descriptive but concise. Screenshots, video, debug logging, and hardware snapshots are all fairly standard or available to Android testers these days and can save you enormously on text when communicating what constitutes the bug. Sometimes though, the app gets into a weird state due to some transient data issue where you may not own the API or the complexity with forcing the app data into a certain state is prohibitively high. In those cases it is very handy to directly inspect the data the app has in its own directories.

Getting at this data is trivial on emulators and rooted devices but due to file system permissions, this data is otherwise completely private to the app itself. If you're like me, you tend to test using devices rather than emulators and you probably prefer not to root your devices since they are from a pool of shared devices used across your team or throughout your organization. This creates a slight problem when it comes to accessing those private files. Thankfully, there is a clever tool called "run-as". Here's how it helps.

Run-as allows you to execute commands in the shell with the same permissions owned by the app. It checks whether the user calling it is either root or using adb so you need to enable USB or WiFi adb debugging access on your device first. The syntax for running commands with "run-as" is identical to normal shell commands so you will be in familiar territory. Just prepend your normal command with "run-as com.example.app" where "com.example.app" is the package name for your app. A little caution though: this only works if your app is debuggable so this technique isn't valid for release packaged builds.

So how does "run-as" help you pull private application files? Alex P from Stack Overflow provides the following suggestion for accessing your app's database files. Because I intend to use this technique regularly, I've slapped together this quick script for pulling all relevant files from all attached devices which I'm using for my tests. Another caveat: Somewhere in Android 4.2, run-as got broken. This was patched for most devices but Samsung in particular continues to have problems from 4.2 devices ever since. They may have done this intentionally as this has been reported a long time ago and remains broken even on my test Galaxy S5 running 4.4.


Comments

  1. I tried this solution on a few devices with android >= 4, and it didn't work...
    On what device are You testing?
    Isn't it a security breach ?

    ReplyDelete
  2. Hi Tomek,
    As I mentioned this was something that was broken in AOSP at some point around 4.1.x. On Samsung devices this remains broken but elsewhere it has since been fixed. Now whether you consider this a security breach is complicated. On the one hand, Android devices are rootable. Some more than others. You can always encrypt the data you're saving if you actually care about security (or even better secure the data on your own services and encrypt the traffic to the devices which do not store a permanent copy of any of that data outside of encrypted sessions). Even if you don't do any of that, this run-as trick only works if the app is debuggable. Now the fact remains there are a lot of apps out there which are debuggable but most developers should know to export release builds instead of signing their test builds with release keys. Google have been kind enough to put very helpful instructions on their developer portal for how to manage all of this.

    So ultimately I would suggest that no, this access itself is not a security breach. It isn't a hole. It isn't even a vulnerability. It is a potential problem for developers who are either very new or don't bother thoroughly reading Google's recommended development patterns for security or release steps for publication.

    ReplyDelete
  3. if you need spy phone app spy someones text messages free and you will read useful information about tracking

    ReplyDelete

Post a Comment

Popular posts from this blog

UiAutomator and Watchers: Adding Async Robustness to UI Automation

"I'm looking over your shoulder... only because I've got your back." ~ Stephen Colbert After my recent UiAutomator review a user brought up an important question about the use of UiWatcher. The watchers serve as async guardians of the test flow, making sure the odd dialog window doesn't completely frustrate your tests. Having a tool that automatically watches your back when you're focused on the functional flow of your tests is awesome. 100% pure awesomesauce. Since the API documentation on watchers is scant and the UI Testing tutorial on the Android dev guide doesn't cover their use in depth, I figured I should add a post here that goes over a simple scenario demonstrating how to use this fundamentally important UI automation tool. In my example code below, I'm using uiautomator to launch the API Demo app (meaning run this against an Emulator built in API level 17 - I used the Galaxy Nexus image included in the latest ADT and platform tools).

UiAutomator.jar: What happened when Android's JUnit and MonkeyRunner got drunk and hooked up

"Drunkenness does not create vice; it merely brings it into view" ~Seneca So Jelly Bean 4.2 landed with much fanfare and tucked in amongst the neat new OS and SDK features (hello, multi-user tablets!) was this little gem for testers: UiAutomator.jar. I have it on good authority that it snuck in amongst the updates in the preview tools and OS updates sometime around 4.1 with r3 of the platform. As a code-monkey of a tester, I was intrigued. One of the best ways Google can support developers struggling with platform fragmentation is to make their OS more testable so I hold high hopes with every release to see effort spent in that area. I have spent a couple days testing out the new UiAutomator API  and the best way I can think of describing it is that Android's JUnit and MonkeyRunner got drunk and had a code baby. Let me explain what I mean before that phrase sinks down into "mental image" territory. JUnit, for all its power and access to every interface, e