How to open "adb shell" in context of application being debugged (on non-rooted device)?

Question

When I just run adb shell, I get shell running from uid=2000(shell) gid=2000(shell), without ptrace access to my application.

How to open a shell with the same UID as launched application?

Possible duplicate of http://stackoverflow.com/questions/14654718/adb-shell-when-multiple-devices — tim, May 27 '14 at 18:25
@tim, Wrong duplicate candidate. The linked question is about choosing device for shell to be opened in. This questions is opening shell with specific uid. — Vi., May 27 '14 at 18:28
That is not a duplicate of this question. That asks for specifying a particular device, this asks for a specific UID — indivisible, May 27 '14 at 18:28
Try an emulator where adb runs as root; if you need to use a real device where run-as is broken, you can temporarily merge an SSH or cruder shell server configured to run as a distinct process into a build of your app, and use that. — Chris Stratton, May 27 '14 at 19:27
I'm trying shell server approach with my ["dive"](http://vi-server.org/pub/dived_armel), but AF_UNIX sockets between applications seem to be restriced by SELinux on this device. It's probably a time for `socat`. — Vi., May 27 '14 at 19:37

score 6 · Answer 1 · answered May 27 '14 at 19:03

6

Use run-as <your package name> to switch to your app's UID or run-as <your package name> <command> to run a single command with your app's UID.

answered May 27 '14 at 19:03

Alex P.

It says `run-as: Package 'com.example.myapp' is unknown` for all packages... Maybe it's ["run-as doesn't work after update to 4.3"](http://code.google.com/p/android/issues/detail?id=58373)? – Vi. May 27 '14 at 19:20
Do you have a debug build of the app? Are you absolutely sure the package name is exactly correct? There are devices where this doesn't work, but don't give up too soon. – Chris Stratton May 27 '14 at 19:28
It is installed from MainActivity-debug.apk, so I expect it to be debug. The package name is obtained from `AndroidManifest.xml` and `dumpsys package com.example.myapp` works. The device is `Samsung GT-N7100` running Android 4.3. – Vi. May 27 '14 at 19:33

score 5 · Answer 2 · edited May 23 '17 at 12:00

5

Contain the list of applications installed and their corresponding UID's.

Another answer in the same question suggests:

adb shell dumpsys package com.example.myapp | grep userId=

You can then open your shell as normal and run:

$ su <UID>

You should then have the same access and privileges as the app that uses that UID.

edited May 23 '17 at 12:00

Community

answered May 27 '14 at 18:45

indivisible

`/system/bin/sh: su: not found`. Of course it is not a problem on rooted devices. – Vi. May 27 '14 at 18:49
I don't think there is any way to do this on an unrooted device unfortunately due the the built in security restrictions. I'd be happy to be proved wrong though. – indivisible May 27 '14 at 18:51
You can debug the application, so you can start the shell indirectly. The question is about how to do it conveniently. – Vi. May 27 '14 at 18:52
2

Ultimately this is not a very useful answer, as *if* you have the ability to `su` then *you are already root* (or able to become so) and therefore can `ptrace` the process *without* needing to match its UID. – Chris Stratton May 27 '14 at 19:25

Vi. · Accepted Answer · 2014-05-27T20:18:51.010

Workaround way using socat:

Add android.permission.INTERNET to your application;
Put socat binary (mirror) to /data/local/tmp/. Ensure everybody can start it;
Add Runtime.getRuntime().exec("/data/local/tmp/socat tcp-l:4446,fork,reuseaddr exec:/system/bin/sh,pty,stderr,setsid"); at startup of your Java-based application;
adb forward tcp:4446 tcp:4446
Use socat `tty`,raw,echo=0,opost=1 tcp:127.0.0.1:4446 on host to connect to the shell in your application context.

Note that this setup is not secure and should not be left in production app.

3 Answers3