Shared publicly  - 
 
Superuser PIN Feature 

I'm genuinely confused by the PIN features offered in Superuser. It requires that you enter a PIN to use su. But, from what I can tell, it is security theater.

Me:
I enter a new PIN and confirm it. At this point, no one should be able to use su without the pin.

Attacker:
Let's pretend I, the attacker, don't know the pin. I want to bypass it.
So, I use su from an app, and the pin request pops up. I don't know it.
I go into Superuser app settings and clear app data. The PIN protection is now wiped.
I can now use su.

Am I missing something here?

I'm asking, because I was looking into implementing this, and realized that the existing solutions don't actually work in the first place. Not to mention that if the device's screen is unlocked (which is how the app that uses su was launched in the first place, and pin shown), all bets are off anyways.
61
Jeff Rebeiro's profile photoHenning Hoefer's profile photoGiovhanny Archer's profile photoFrank Rehse's profile photo
26 comments
 
Play Store PIN feature. End of story. :)
 
1.It keeps off stupid people that just want to mess with your device, or don't know what they are doing.
2.If the attacker wipes app settings you know that something wrong happened, so you can take appropriate measures to minimize damage.
 
In your Carbon Premium app everything works except when I open my phones gallery app all of the icons are there in individual albums. Can you fix this?
 
I think it's more to protect certain apps from being used by certain people (kids maybe). It's just like the root password in Linux. Once you've got physical access, all bets are off.
 
From what I have seen, SuperSU does not keep the pin info in the application data where "clear app data" could wipe it.  Instead, it seems to have a dotfile in /system.  That's smarter since you would need root and a r/w system partition to clear it.
 
+Jeff Rebeiro True. I wonder if this is really necessary now that Android has multiuser support now. PIN protect the admin account, and let the kids have their own account.
 
Ok, so from what I'm gathering, this is just to dummy proof access to superuser. It's not real protection, but still a legitimate use case.

Thanks for the feedback!
 
Unlocking so I can leave a comment for +Adam Shanks:

You'll want to use this flag on your application manifest:

        android:allowClearUserData="false"

That will fix the hole where an attacker can just wipe app data and access su.
This only works if the app is installed on /system, which it, of course, should be.
 
+Koushik Dutta Bug .. feature .. whatever it is, if you never leave your smartphone lying around unlocked, it's completely unnecessary. Not sure what (or if) Google was thinking there. ;-)
 
+Frank Rehse I'd wager to say that the vast majority of the Android population (at this point) leaves their phones laying around unlocked.
 
+Joshua Collins Probably true. :) In this case just take the phone, delete play store cache and data and buy a few really expensive apps. Lock phone with a pin so the 15 min return policy timeout will run out. 
Expert trolling*, useless security-feature-style. ;-)

*May lead to jail time and/or bodily harm.
 
Recently the play store has been prompting me for my password on each purchase, so that might not work anymore
 
+Frank Rehse The PIN feature of the Play store is intended to stop your kid from buying in-app purchases in games. Google added it hastily after some bad press from disgruntled parents...
 
does the administrator device option can prevent the clear cache ???
i thought that what was happening with wavesecure, if you try to clear cache or uninstall without the pin it blocks.
 
+Koushik Dutta Another workaround to prevent the user from clearing the app data could be setting android:manageSpaceActivity in the manifest and implementing a corresponding Activity?
 
Clearing data for SuperSU doesn't remove the PIN, I just tried it. 
 
no...i wouldnt recommend using it again until the intial problem was solved between both or all parties involved.There may be another fake to prepade the loading as the first one did.That would and could reap havoc...it does
Add a comment...