How does Android SuperUser app detect that an app requests root?

Asked 30/10, 2012 at 12:22 Answered 14/11, 2012 at 4:49

I'm writing an app that will use su to execute some commands in the linux kernel. I was wondering how SuperUser figures out that the application is asking for root privileges ? Also, are there any known ways (through obfuscation) in which this check can be bypassed ?

In other words: How does Android/(SuperUser) know that an app requires root privileges despite the fact that there are no permissions explicitly requested in the android manifest file.

I'm asking this question from a security standpoint. I want to know the details of how this works in order to be sure that a malicious app cannot bypass SuperUser.

Mooneye answered 30/10, 2012 at 12:22 Comment(0)

There are two parts to the superuser system - the superuser binary (su on the terminal) and the SuperUser.apk (Android app to manage apps using su). Looking at the source code of the su binary, when you request su access through

Process p = Runtime.getRuntime().exec("su");

it publishes an intent through the android messaging manager that an application has requested for superuser access.

sprintf(command, "/system/bin/am broadcast -a '%s' --es socket '%s' --ei caller_uid '%d' --ei allow '%d' --ei version_code '%d' > /dev/null",action, socket_path, ctx->from.uid, allow, VERSION_CODE);

The manager app listens for this intent and asks the user to handle the request (allow/deny).

Nogging answered 14/11, 2012 at 4:49 Comment(1)

According to your explanation, it seems su broadcasts a message asking for Superuser.apk to tell wether it should allow root access or not. So I'm wondering, what prevents another app to respond to that request instead of Superuser.apk? (which would be a huge vulnerability if that was possible, so I guess it's not ; just curious) Also, what protection exists to prevent an app from requesting root under a false name? (i.e. malicious.apk requesting root under the name of awesome-root-only-app.apk to trick the user into giving access) – Musicology 31/1, 2016 at 9:52

When you run this:

Process p = Runtime.getRuntime().exec("su");

You are trying to execute "su" which only an app with superuser permissions can do! So whenever Android detects that you are trying to run "su" It will get that the App will need superuser permissions.

Also, Android has some area reserved which only Android system can access. If your app is trying to access something there, Android will understand that superuser is needed.

For example, say you are trying to modify the host file or modify some network configurations like DHCP. Or you are trying to access files from system area e.g. /data Android will check if the app has superuser permissions, and then only will grant it access to such things.

About malicious software, whenever an app needs superuser access, system will prompt user to grant or deny superuser permissions to the app. Only then the app can get root access. So it's up to the user to decide, whether to accept or deny root access for any app. (System will prompt user every time an app is trying to access something that needs root access, UNLESS you tell system to remember your choice of acceptance or denial for a particular app.)

PS: You might consider checking out website for Superuser app.

Clevelandclevenger answered 30/10, 2012 at 12:46 Comment(7)

and how/why does the Superuser app only act as Su rights provider? What makes it to be the in-charge? – Stephainestephan 30/10, 2012 at 13:21

@Waqas This might answer your question androidsu.com/superuser Just explore the site. I will update the link in the answer. May be helpful to others. :) – Clevelandclevenger 30/10, 2012 at 13:34

Yes, I observed the behavior. But still, it is unclear as to how the 'SuperUser' app finds this. Is the SuperUser something like a monitor that checks the behavior of all the other apps that are running ? – Mooneye 30/10, 2012 at 13:34

@Mooneye I would say it's more like a firewall. All su requests go through it. – Clevelandclevenger 30/10, 2012 at 13:36

The su binary does this for you: "The su binary is what other apps call when they need superuser rights. The binary checks the database maintained by Superuser.apk to determine if you have already granted rights to the requesting app, and if not tells Superuser.apk to display a prompt asking you for permission." – Neurath 30/10, 2012 at 13:44

@Waqas Well, as I mentioned. The Superuser app works more like a firewall. So all the su requests will go through it. When you root a device or install a ROM with root access, this is specified.. You tell Android, that Superuser app is going to act as a su firewall from now on. (That's what MY understanding is. I would like to be corrected if I'm wrong.) – Clevelandclevenger 30/10, 2012 at 13:48

su simply calls superuser.apk. That's all. – Demott 4/3, 2014 at 2:42

Actually it's quite simple. Vanilla Android doesn't even have su or superuser. When you root the device you run a shell as root. Then you install the su binary and superuser.apk. After installing you set the shell back to it's normal permissions. All these root-only apps can now call su to ask for root access.

When su is run it calls superuser.apk with a message asking you whether you want to elevate privileges. The su binary and superuser.apk are protected via Android's normal sandboxing. Note that once you give an app root privileges it's free to do whatever it wants including overwriting su with it's own version.

Illegal answered 14/11, 2012 at 4:31 Comment(0)

Recommended topics

Hot tags