How does Android SuperUser app detect that an app requests root?

asudhak picture asudhak · Oct 30, 2012 · Viewed 17.4k times · Source

I'm writing an app that will use su to execute some commands in the linux kernel. I was wondering how SuperUser figures out that the application is asking for root privileges ? Also, are there any known ways (through obfuscation) in which this check can be bypassed ?

In other words: How does Android/(SuperUser) know that an app requires root privileges despite the fact that there are no permissions explicitly requested in the android manifest file.

I'm asking this question from a security standpoint. I want to know the details of how this works in order to be sure that a malicious app cannot bypass SuperUser.

Answer

Checksum picture Checksum · Nov 14, 2012

There are two parts to the superuser system - the superuser binary (su on the terminal) and the SuperUser.apk (Android app to manage apps using su). Looking at the source code of the su binary, when you request su access through

Process p = Runtime.getRuntime().exec("su");

it publishes an intent through the android messaging manager that an application has requested for superuser access.

sprintf(command, "/system/bin/am broadcast -a '%s' --es socket '%s' --ei caller_uid '%d' --ei allow '%d' --ei version_code '%d' > /dev/null",action, socket_path, ctx->from.uid, allow, VERSION_CODE);  

The manager app listens for this intent and asks the user to handle the request (allow/deny).