After years of rooting my devices, I quit the practice because I couldn't help but wonder if it was actually such a good idea to run code from random strangers with root privileges. Luckily I found out granting apps ADB shell privileges let me achieve most of the things I previously used root for. One website calls this “near-root capabilities without the security risks of traditional rooting”. Isn't it great? Who says you can't have your cake and eat it too!
Except that's a load of B.S. of course. Getting ADB shell privileges is any malware creator's wet dream. Their malware could set the Private DNS to one they control, leading their victims to phishing replicas of popular websites. It could silently replace apps with phishing replicas too. You'd maybe be surprised your social media, e-mail or banking/PayPal/crypto app asked you to login again, but the app would assure you that this is for your own safety and you wouldn't think twice because it's not uncommon. Besides, you tapped the same icon you always tap, with the same name underneath it, on your own trusted phone.
The malware could read all your notifications, files and I think your address book too. Heck, it could install a package and grant it all thinkable and sensitive permissions one can grant through ADB, so even when it loses ADB shell privileges, it can still do a lot. It could install and activate accessibility services that can read the screen and I don't think you'd get prompted about it. It could also just make screenshots and recordings silently, couldn't it?
I'm an avid Tasker (automation app) user, and my delight about finding out what I could automate with ADB shell privileges—it's awesome, almost everything!—at some point turned into a realization of what powers I was granting apps when I granted them ADB privileges. Now that I've taken the red pill, so to speak, I'm somewhat shocked about how easily people teach others how to grant ADB shell privileges to apps without ever discussing the security implications. Often it's clear nobody's actually aware.
Occassionally someone asks “Is this random app by unknown developer safe?” and someone else replies with “It totally is dude, I've been running it for a week with no problems. Besides, it's open source, so you can totally trust the binary you download from GitHub releases. Just make sure to install Shizuku from this other unknown developer that doesn't have any online presence to handle ADB privileges for all your apps and you're golden!”
I feel like there's not enough awareness. I myself was very happy to stumble upon Madadain's blog at some point, and I feel I should've been better informed when I started rooting back in the days. It's not like anybody told me what a bootloader was for, just that I needed to unlock it and replace it to regain control over my device. And to be fair, security and freedom are not exactly on friendly terms with each other in our current reality.
But I'm surprised I can't really find any serious articles warning about the dangers of Shizuku & Co. I'm not even sure if I'm ready to give up the possibilities ADB privileges provide, but it sure would help reading about the security tradeoffs more often. It would especially benefit others, as it seems like Shizuku is only getting more popular with each passing month, and apps utilizing it are popping up left and right. I believe people should be able to do what they want with their device, but they should also be able to make an informed decision.
Maybe someone shares this post on r/fossdroid or Hacker News, maybe someone who works for Android Authority decides to write an article about this which gets discussed on r/Android. If Android Authority writes about it, soon 10 more sites will. It wouldn't hurt awareness. Lest people start believing Shizuku provides “near-root capabilities without the security risks of traditional rooting”.
...
Was anything I stated or suggested in this post incorrect? Then please correct me, I'm only here to learn! I also would love to hear your opinions on this topic and how you think malware could and would use ADB shell privileges for the financial gain of its creator. Also, for good old script kiddie lulz, it could just run cmd recovery wipe to initiate a factory reset without user confirmation...