Skip to main content

Run-As Like the Wind: Getting private app data off non-rooted devices using adb run-as and a debuggable app

"You're some kind of big, fat, smart-bug aren't you?"
~Johnny Rico, Starship Troopers (1997)
One of the most important things about writing bugs is making them descriptive but concise. Screenshots, video, debug logging, and hardware snapshots are all fairly standard or available to Android testers these days and can save you enormously on text when communicating what constitutes the bug. Sometimes though, the app gets into a weird state due to some transient data issue where you may not own the API or the complexity with forcing the app data into a certain state is prohibitively high. In those cases it is very handy to directly inspect the data the app has in its own directories.

Getting at this data is trivial on emulators and rooted devices but due to file system permissions, this data is otherwise completely private to the app itself. If you're like me, you tend to test using devices rather than emulators and you probably prefer not to root your devices since they are from a pool of shared devices used across your team or throughout your organization. This creates a slight problem when it comes to accessing those private files. Thankfully, there is a clever tool called "run-as". Here's how it helps.

Run-as allows you to execute commands in the shell with the same permissions owned by the app. It checks whether the user calling it is either root or using adb so you need to enable USB or WiFi adb debugging access on your device first. The syntax for running commands with "run-as" is identical to normal shell commands so you will be in familiar territory. Just prepend your normal command with "run-as com.example.app" where "com.example.app" is the package name for your app. A little caution though: this only works if your app is debuggable so this technique isn't valid for release packaged builds.

So how does "run-as" help you pull private application files? Alex P from Stack Overflow provides the following suggestion for accessing your app's database files. Because I intend to use this technique regularly, I've slapped together this quick script for pulling all relevant files from all attached devices which I'm using for my tests. Another caveat: Somewhere in Android 4.2, run-as got broken. This was patched for most devices but Samsung in particular continues to have problems from 4.2 devices ever since. They may have done this intentionally as this has been reported a long time ago and remains broken even on my test Galaxy S5 running 4.4.


Comments

  1. I tried this solution on a few devices with android >= 4, and it didn't work...
    On what device are You testing?
    Isn't it a security breach ?

    ReplyDelete
  2. Hi Tomek,
    As I mentioned this was something that was broken in AOSP at some point around 4.1.x. On Samsung devices this remains broken but elsewhere it has since been fixed. Now whether you consider this a security breach is complicated. On the one hand, Android devices are rootable. Some more than others. You can always encrypt the data you're saving if you actually care about security (or even better secure the data on your own services and encrypt the traffic to the devices which do not store a permanent copy of any of that data outside of encrypted sessions). Even if you don't do any of that, this run-as trick only works if the app is debuggable. Now the fact remains there are a lot of apps out there which are debuggable but most developers should know to export release builds instead of signing their test builds with release keys. Google have been kind enough to put very helpful instructions on their developer portal for how to manage all of this.

    So ultimately I would suggest that no, this access itself is not a security breach. It isn't a hole. It isn't even a vulnerability. It is a potential problem for developers who are either very new or don't bother thoroughly reading Google's recommended development patterns for security or release steps for publication.

    ReplyDelete
  3. if you need spy phone app spy someones text messages free and you will read useful information about tracking

    ReplyDelete
  4. This article is very much helpful and i hope this will be an useful information for the needed one. Keep on updating these kinds of informative things...
    ios App Development Company
    Mobile App Development Company
    Best Mobile App Development Company

    ReplyDelete
  5. Hi dear, I like your post so much, and it is very good. Hope that we can communicate with each other. I want to introduce an aso services, I try it and I feel it is so good to us beginners.

    ReplyDelete

Post a Comment

Popular posts from this blog

Jenkins + Devices + AndroidJUnitRunner

New Android build system and test runner, same goose chase using undocumented features and hacks

As I've posted before, I am a big fan of Jenkins. It is extremely flexible, open source, and supported by a staggering array of plugins actively developed by engineers running over 100,000 instances of the server worldwide. With it's distributed node model, you can even build your own device cloud for hosting enterprise-scale automation, economizing hardware investments by sharing resources across multiple projects as well as speeding up automation by parallelizing test runs. I had been using a Jenkins-based system in the past to support instrumentation automation with Robotium quite happily. For the last couple years however, my work hasn't required that as much and I've found myself doing a lot more manual testing and using UiAutomator which didn't require a tight integration between the product codebase and the test code. As a result, I've been slow to adopt the…

UiAutomator and Watchers: Adding Async Robustness to UI Automation

"I'm looking over your shoulder... only because I've got your back." ~ Stephen Colbert
After my recent UiAutomator review a user brought up an important question about the use of UiWatcher. The watchers serve as async guardians of the test flow, making sure the odd dialog window doesn't completely frustrate your tests. Having a tool that automatically watches your back when you're focused on the functional flow of your tests is awesome. 100% pure awesomesauce. Since the API documentation on watchers is scant and the UI Testing tutorial on the Android dev guide doesn't cover their use in depth, I figured I should add a post here that goes over a simple scenario demonstrating how to use this fundamentally important UI automation tool.

In my example code below, I'm using uiautomator to launch the API Demo app (meaning run this against an Emulator built in API level 17 - I used the Galaxy Nexus image included in the latest ADT and platform tools). The te…