25
Feb
image

Koushik Dutta, the author of ClockworkMod Recovery and such iconic Android apps as ROM Manager and, more recently, Carbon, has decided to tackle a new subject that is also very dear to the Android community - Superuser and root access control. Koush's latest app, now in beta and coming soon to the Play Store, is called simply ClockworkMod Superuser.

How Is It Different?

How does the new Superuser compare to the existing Superuser by ChainsDD and SuperSU by Chainfire, both very respectable root gatekeeper apps? There are indeed several important differences, the most important one being that Koush's Superuser is open source and free, with code available in his Github repo for thorough examination. Security by obscurity is generally frowned upon - an open-source implementation lets anyone who wants to examine the code for potential vulnerabilities to do so and then responsibly disclose them to the author, hopefully before attackers do.

ClockworkMod Superuser, while young, already seems very mature, with support for Android 4.2's multi-user implementation currently enabled on the Nexus 10 - something that the original Superuser app is still missing to this day and SuperSU added only yesterday. Koush is an incredibly fast developer, so you can expect fast iterations between releases.

I've spoken with Koushik, who has been criticized in the past for things like charging for additional features in paid apps, and he assured me that there would not be a paid/premium version of Superuser, which would go against the whole open-source principle. So put down your pitchforks in case you were starting to reach out for them.

Moreover, according to Koush, this Superuser app should eventually ship with ROMs, such as CyanogenMod. Sweet.

Another really good idea Superuser is trying to push is utilizing the native Android permissions system for declaring a special android.permission.ACCESS_SUPERUSER permission. It's purely informational, but would introduce a whole lot more transparency into whether a given app is going to request root access or not, which is great. Eventually, the strategy is to make such a permission mandatory. Here's the current thinking process, detailed in a recent Google+ post:

android.permission.ACCESS_SUPERUSER

Android has a way for apps to create and request various permissions via the AndroidManifest.xml file. This is how the list of permissions and features shown in an app's Google Play description is generated. Superuser should definitely be listed there. But currently, no such permission exists to be enforced, which is a terrible precedent:
You can download an app, and without your prior knowledge it can request Superuser access.

After talking with +Ricardo Cerqueira about this, we've decided on a strategy to ramp up and start enforcing this good practice.
0) Add a new permission with the Superuser, "android.permission.ACCESS_SUPERUSER".
1) The new Superuser will simply warn that the developer is not declaring "android.permission.ACCESS_SUPERUSER" in the manifest. (as seen below)
2) Add an option to Superuser to automatically deny Superuser access to apps that do not have this declared.
3) After 6 months, this option is enabled by default.
4) After 1 year, this is no longer optional (always on).

This is an insanely trivial change for an app to make, and will assist with the transparency of root apps on the market. So there's really no excuse for the developer not to do it!

superuser

Koush goes on to explain his reasons for creating Superuser further:

Some of you are probably wondering why I'm rewriting Superuser.

  • Superuser should be open source. It's the gateway to root on your device. It must be open for independent security analysis. Obscurity (closed source) is not security.
  • Superuser should be NDK buildable. No internal Android references.
  • Superuser should also be AOSP buildable for those that want to embed it in their ROM.
  • Maintenance and updates on both the market and source repositories should be timely.
  • I want to be able to point users of my app to a Superuser solution that I wrote, that I know works, and that I can fix if something is wrong. Yes, this is selfish: Carbon does not work with some versions of Chainsdd's Superuser. SuperSU works great, but I am not comfortable pointing a user to a closed source su implementation.
  • Handle multiuser (4.2+) properly
  • Handle concurrent su requests properly

Features

And now for the full feature set present in the current beta:

  • Multiuser support
  • Open source
  • Free
  • Leverages Android's permission model
  • Logging (and per app logging)
  • Pretty UI
  • PIN Protection
  • Request Timeout
  • Customize notifications
  • x86 and ARM support (The superuser.zip above is for both ARM and x86. Don't ask how I did that. Magic.)
  • Handle concurrent su requests properly
  • NDK clean

su1 su3[8] su2

Demo

Download

For now, you can install the new Superuser by going through ROM Manager's ClockworkMod section or flashing it manually. After the beta period is over, the app will be available in the Play Store, which we will, of course, announce. More details are available here.

Source: +Koushik Dutta [1] [2] [3]

Artem Russakovskii
Artem is a die-hard Android fan, passionate tech blogger, obsessive-compulsive editor, bug hunting programmer, and the founder of Android Police.
Most of the time, you will find Artem either hacking away at code or thinking of the next 15 blog posts.

  • http://twitter.com/IamPeePay Tomáš Petrík

    +1, Like, Favorite... Whatever, nice work Koush!

    • http://www.androidpolice.com/ Artem Russakovskii

      +Bacon.

      • http://twitter.com/IamPeePay Tomáš Petrík

        Eh... some hidden meaning? :)

        • http://www.androidpolice.com/ Artem Russakovskii

          Bro, do you even HOLO?

          • http://twitter.com/IamPeePay Tomáš Petrík

            Sorry, no clue :)

          • http://twitter.com/_Primey0 Brian

            The fuck are you on about?

          • http://www.androidpolice.com/ Artem Russakovskii
          • CuriousCursor

            The worst Android subreddit ever.

          • http://www.androidpolice.com/ Artem Russakovskii

            That's like totally your opinion, man.

          • mgamerz

            Lay off the roofies Artem!

          • MistiXF

            Right on, Chong!

          • RB

            You're literally HTC.

            YOU PROBABLY DOESN'T EVEN #FF335B5

          • http://www.facebook.com/profile.php?id=100000007203733 Anthony Nedumgottil

            Sigh, I though we had a new Nexus Warrior here.

  • Masan

    The nice icon is reason enough for me to uninstall the su app I'm using right now.

    • http://codytoombs.wordpress.com/ Cody Toombs

      The instant I loaded this article I noticed that it looked very nearly identical to one that was submitted to Chainfire when he announced his plan to change the icon for SuperSU.

      • http://danielbrierton.ie Daniel Brierton

        Possibly submitted by the same person. He requested an icon a week ago. https://plus.google.com/103583939320326217147/posts/JxitsxZwPeG

        • http://codytoombs.wordpress.com/ Cody Toombs

          I was assuming that since Koush has taken icon submissions in the past. I remember the icon because it was one of the 3 I voted for, but I think it was missing the iOS-ish border previously.

    • http://profiles.google.com/marcusleejh Marcus Lee

      I suggest you ensure you take all the necessary steps to do a complete uninstall. I'm no expert but I know SU apps can conflict with each other.

  • http://twitter.com/TwinShadow_SH Ryan

    I've liked using Superuser by ChainsDD due to the open-source nature. Not that SuperSU is bad or anything, but I just don't prefer its interface and with no updates to Superuser in quite a while, I think changing to this may be an option. I'll wait for it to hit the play store, but once it does, perhaps I'll give it a go on my N7 and see how it works for me.

  • zeng haiyan

    which would go against the whole open-source principle. So put down your
    pitchforks in case you were starting to reach out for them.

    http://www.laptopbatterystorage.com

  • armshouse

    I hope the new permission that he's suggested picks up traction. Really nice and simple idea. maybe someone could then develop some sort of play store that automatically filters for root apps rather than having to dig through searching for them.

    • akshay7394

      If I'm not wrong, Koush himself is working on a "Cyanogen Market."

      Basically a market for all root apps (and possibly for open source apps as well,) which I think he wanted to include into the CM series. Not sure what's happening with that though.

    • blunden

      By having rooted ROMs add a feature XML file in /system/etc/permissions and have root apps declare that feature as a requirement you could automatically have the Play Store filter them out on non-rooted devices.

      You seem to want sort of the opposite though. What would be the point of searching for root apps instead of just an app with the feature you want?

      • armshouse

        Sometimes I don't know the feature I want until I see it. I want to search for the fancy stuff that crazy developers build with root! Finding new stuff that I never even thought about or even thought was possible is what I get excited about.

    • Mike Reid

      It should, no problem. Took me a few seconds to set this new permission in my root apps.

      Getting SU/root stuff to work in the first place is the hard part, not this.

      I've wanted this feature for a while. I wish Google had/will support it. As it is now, you have to put "NEEDS ROOT !!!" etc in your app description and still people don't notice.

      • omegavesko

        Eh, people won't notice if it's a permission, either.

  • coversnails

    Do any other apps have pop-up dialog boxes in Holo White? It looks a bit weird on those screenshots.

    • EH101

      Though I agree that it looks weird, white pop ups make sense since they grab your attention easily against the dimmed background. Hopefully this will be a user selectable option.

    • blunden

      The MMS app has it at least.

  • barnassey thomas

    I suggest people before they use this they read up on why this new superuser was made. Koush made this without even giving chainfire a chance to go open source with his app. Oh yeah might i add this all happened while chainfire was on vacation? So "i" for one wont be using this even though it is opensource. Koush ought to be ashamed of himself, when clockworkmod didnt start out as open source.

    • Aadhish Hotshot

      You chainfire's PA??? ... For feeling that he should be ashamed. He is doing a great work... So stfu...

    • EH101

      SuperSU has been out for quite some time now. There were rumblings by some developers about it not being open source when it first hit the play store. If chainfire wanted it open source, he had more than enough time to make it so.

    • omegavesko

      Who gives a damn? Nobody owes Chainfire anything. It's not like SuperSU is a new product, if Chainfire wanted to make it open-source, he would've done it long, long ago.

      How do you even know Chainfire was on vacation at the time?

      • http://codytoombs.wordpress.com/ Cody Toombs

        Chainfire posted about it on Google+. It wasn't snarky or hateful.

        There is some bad blood between them, which is surely the origin of some negative comments in both directions. I'm not taking sides in this, but I'm not particularly surprised that the announcement happened to occur when it did. For anybody who's been following along, it's not the first time that something like this has happened.

    • http://twitter.com/TwinShadow_SH Ryan

      Like the others, Chainfire's SuperSU has been out for a good long while now. It is not new or anything. If you don't want to use Koush's app, go for it, you can use whichever app you want as no one is stopping you. I have not heard of any intentions of Chainfire remotely considering of open-sourcing the SuperSU code, making this all a moot point to begin with. Either way you look at it, use whatever app you want, no one forces you to use App A over App B.

    • blunden

      Koush developed the first superuser app back in the G1 days. This is just a large update/rewrite of that app with some rather important improvements.

      Clockworkmod recovery has been open source as part of CM for quite a long time, even if many people didn't know it. The only part that currently isn't is the touch code. There is open source code that you can use as a replacement that builds cleanly with the rest of the code though.

      Koush is also the one who temporarily fixed the fork of ChainsDD's Superuser we currently use in CM back when 4.2 was released.

    • armshouse

      lol so he's only allowed to develop and release an app according to 'competitors' calendars? That's one of the oddest things I've ever heard!!

      Seriously, whether chainfire was given an opportunity to go open source or not, or whether he's on vacation or not, who cares!

  • http://twitter.com/krismo5 krismo

    Nice! I hope we can start seeing it in CM11.

  • http://www.facebook.com/people/Nicholas-Snowdeal/627272243 Nicholas Snowdeal

    I wish Koush would answer my emails and give me the key for touch recovery that I paid for.

    • epsiblivion

      you could just download it from xda and flash it manually. it's literally one command in the terminal

  • mgamerz

    God forbid he charges for premium features... ! Everyone knows he has money trees in his backward that he shakes when he needs money.

    Sometimes I wish people who used Android weren't so cheap... Would make a lot more incentive to develop apps.

  • fixxmyhead

    meh. i dont really care all this super user root apps all do the same

  • http://twitter.com/graffixnyc Patrick Hill

    He will find someway to add a paid option in there...

  • Matthew Fry

    Several jabs at CF... I've really liked SuperSU- CM10.1 is bundled with Superuser and I don't like it.

    • blunden

      Apart from the justified jab of SuperSU not being open source I don't really see any jabs at either it or Chainfire. On the contrary it is mentioned as fixing some problems ChainsDD's app has.

      We will not bundle a closed source superuser app in CM if we can avoid it. The reasons for not doing so should be fairly obvious.

  • http://www.facebook.com/wesley.modderkolk Wesley Modderkolk

    Tried it on my Galaxy S2 with the latest CM10.1 nightly. Flashed it in CWM(I'd asume that is the correct way, right?).

    Pretty much everything went to hell, I noticed a bit of a reduction in speed, I got a few weird things happening on the screen(could just be a CM10.1 bug) with wallpapers not aligning properly, the notification par was flickering etc. etc.

    Also when finally using the superuser app, it worked properly, until I got to the first time granting root permissions(AdFree For android), it just kept on asking for root permissions, while I already granted it like 50 times.

    Could all be just CM10.1 bugs, but I think I'll wait for a more stable version

    • armshouse

      I found there's a bug that doesn't grant root access permanently if you've set a pin. Have you set a pin? If so, unset it and it'll grant root

      • http://www.facebook.com/wesley.modderkolk Wesley Modderkolk

        Ah yes, I did set a pin. Maybe I'll check it again later

  • JG

    Just to confirm.... All I have to do is uninstall the SU app I have on my device now, just like I would any other app, and then install the new SU app, again just like any other install.... There's nothing I need to do to associate the app with root requests or anything like that....right?

  • flibblesan

    Actually, ChainsDDs Superuser IS open source - this is why it's included in CyanogenMod. All the code for it can be found on Github https://github.com/chainsdd

  • Rio Syaputra

    swnsnjc sb njij ,sbwqj dx

  • http://twitter.com/klepto_chris Tekkie

    Installed the app but when I 1st run it on CM10.1 it asks to update the SU binary via either Recovery or just "install". What is this?

  • http://www.facebook.com/maria.georg.108 Maria Georg

    Koush's Superuser NEVER failed me! I m wondering why the kernel developers continue to put that shit from ChainsDD that gives to me all the time problems and stops working!

  • pcaccu

    thanks for sharing!

    http://www.pcaccu.nl/ (laptop accu)