I recently tried to do something that should be the digital equivalent of picking up a rock: copying a single file.
I had a save file (some.save) for a game sitting in the standard /Android/data/com.app/files/saves/ directory. I bought the phone with my own money. It sits in my pocket. But after spending hours throwing everything from Shizuku to WSL at it, I learned a harsh lesson: On Android 16, you don't own your data.
Google’s "Scoped Storage" and aggressive SELinux policies have crossed the line from protecting user privacy to completely trapping power users. If your device isn't rooted, your data is locked in a digital fortress.
Here is the technical breakdown of my descent into Android 16 madness, and how the OS systematically blocked every single advanced workaround I threw at it.
Attempt 1: The Shizuku-Powered File Managers
My first thought was that Scoped Storage was just blocking standard file managers. No problem, right? We have Shizuku, which runs processes via the ADB shell user (UID 2000).
I installed ZArchiver and FV File Explorer, authorized them through Shizuku, and navigated to the /Android/data/com.app/ directory.
Result: Permission Denied / Access Denied.
Android 16 has patched the system-level Java binders. Even with Shizuku privileges, graphical file managers are blinded by the OS security layer.
Attempt 2: Dropping into the Terminal
Fine. If the GUI fails, go to the CLI. I fired up Termux, triggered my Shizuku rish (shell) session, and tried to brute-force a copy.
cp /data/data/com.app/files/saves/some.save /sdcard/Download/
Result: Permission Denied.
Even trying to read the raw text stream using cat /data/data... > /sdcard/... was slapped down. Android 16’s SELinux policy strictly prohibits the shell user from interacting with physical app sandbox directories.
Attempt 3: The run-as Illusion
Android has a built-in debugging command designed specifically for this: run-as. It lets the shell assume the permissions of the target application.
run-as com.app cat /data/data/com.app/files/saves/some.save
Result: run-as: package not debuggable: com.app
Because the app's manifest had android:debuggable="false", the OS refused to grant the shell access.
Attempt 4: Modding the APK
If the app isn't debuggable, make it debuggable. I pulled the base APK to my Windows machine, fired up WSL, and used Apktool to decompile it. I injected android:debuggable="true" into the AndroidManifest.xml, rebuilt it, and signed it with a debug keystore.
To avoid signature mismatch errors (which would require uninstalling and losing the save file), I even cloned the app by changing the package name to com.app.debug so I could install it side-by-side and try to push the save file into the clone's directory.
Result: cat: permission denied.
Even pushing data into an open, debuggable clone was blocked by the overarching SELinux filesystem locks.
Attempt 5: The adb backup Betrayal
While looking at the decompiled manifest, I noticed a beacon of hope: android:allowBackup="true".
Perfect. I connected my phone to my PC and ran a native ADB backup command via WSL:
adb backup -noapk com.app -f game_data.ab
The prompt appeared on my phone, I clicked "Back up my data," and a file was generated. I used dd, zlib-flate, and tar in WSL to strip the 24-byte Android OS header and unpack it:
dd if=game_data.ab bs=1 skip=24 | zlib-flate -uncompress | tar -xvf -
Result: 525 bytes copied... tar: This does not look like a tar archive.
A 525-byte file means it’s empty. Android 16 introduces an aggressive background security layer that blocks backup streams for side-loaded apps or apps with high SDK restrictions. The OS literally lied—it accepted the backup request, drew the UI prompt, and then silently aborted the stream right after writing the header.
Attempt 6: Forcing the Migration Engine
If adb backup is blocked, maybe the internal migration engine works. I went back into rish to force the device's Backup Manager to dump the local transport payload.
bmgr transport com.android.localtransport/.LocalTransport
bmgr backupnow com.app
Result: backup is not allowed.
Front door, back door, side door—all welded shut.
The Grim Conclusion
After exhausting WSL pipelines, Shizuku shells, Apktool manifesting, and ADB protocols, the reality set in. Google has officially killed non-root app data access.
The rationale is "security." But when I purchase hardware, install an app, generate local data, and am systematically barred from moving a 1MB text file to a backup folder by the operating system, that isn't security. That is captivity.
If a developer doesn't explicitly build an "Export Save" button into their UI, your data will die on that device. For power users and developers, the message from Android 16 is clear: Root your device, or accept that you are just a guest on your own hardware.
Has anyone else hit this wall on Android 16? Are there any obscure binder exploits or PC-side loopbacks left, or is Magisk officially the only way out? Let me know in the comments.
Top comments (1)
Some comments may only be visible to logged-in visitors. Sign in to view all comments.