Or what is the exact mechanism behind this in Android? I have been using GNU/Linux for many years so I understand the original concept and would not want every app to have root privileges.
The Superuser app allows you to accept & deny all root apps. You can also choose to always allow certain apps, but you don't have to.
I don't quite understand this. Who gives the apps the privileges. I suppose the Superuser app is only the frontend for some system service. And does it work as a white list or as a black list. Meaning: Does every app get root priviliges by default on a rooted phone or do I have to manually give root privileges to desired apps but the rest doesn't even realize it's on a rooted phone.
By default, apps are denied root privileges. If I restore an app that runs as root in the background -along with its data - the app won't work until I launch it & grant it superuser permissions. Droidwall is a good example of this. Droidwall works by denying or allowing 3g and/or wifi access to apps based on your input. It does this by changing the iptables. If I flash a new ROM & restore with Titanium Backup, I usually forget that Droidwall isn't doing its job until I notice ads in an app that isn't supposed to connect. Once the app is launched & I choose to apply the rules, Superuser prompts me to allow the changes. If I do not make a choice within 10 seconds, SU automatically denies the root request.
In short, an app will never run as root (aside from superuser itself, if that counts) without you first allowing it. Also be aware that most everyday apps will never ask for root access as they don't need it to run. Only apps that are making changes to the system (reading or writing) will need root access. As far as accessing your contact data & other stuff you may worry about, any app can do that if it has permission (not root) to do so. When you first install an app, you will see a list of permissions - usually an app needs those permissions to run and there's nothing to worry about.
OK, thanks I understand it more now. What would happen if I didn't install Superuser. Is there a built in daemon for superuser privileges?
Don't fight the powers that be. Install superuser. You need it.
I'm pretty sure you'll get error messages from most root apps. I could be wrong, though. Next time I'm about to flash a new ROM, I'll remove Superuser after I do my backup, just because I'm curious. I'm pretty sure that Superuser or an alternative - if one exists - is necessary. I know the ability is there in the os, but I would think that it would need some kind of vehicle (such as an app) to relay the information. I certainly hope apps wouldn't automatically be granted root privileges, but I'm not sure. It's an interesting question, though.
Roms come pre-loaded with Superuser, and any auto-root method does as well. You would only be without it if you root manually, stay on stock, and choose not to push the app. Or, I guess, if you choose to remove it.
Disclaimer: This is for testing purposes only. I do not condone breaking company policy, or breaking any laws. I am not responsible for you getting fired as a result of you making these modifications. You should always read and abide by company policies and any laws pertaining to such modifications. Use of this tutorial is at your own risk.
Preface: I have tested the new method on multiple devices and it has been flawless so far.
UPDATE: I have found a new method that so far has been flawless across multiple devices so far for me. With this new method you won't even have MobileIron installed when you're done! I have tested this on my Galaxy Nexus, My Nexus 7 and my Galaxy Note II and believe it should work regardless of device. Your company may have different security policies than mine so it's possible this may not work for you.
The easiest way to do this is with one of mskip's toolkits, but it can also be done manually with adb (must have the latest sdk).
Toolkit Method
0. Make sure you have MobileIron and Touchdown installed, configured and syncing. Your phone does NOT have to be rooted to do this.
1. Download mskip's Toolkit Here and install.
2. Make sure you have the adb drivers for your phone installed on your computer and android debugging is turned on in the developer settings on your phone.
3. Open the toolkit and connect your phone to your computer
4. It shouldn't matter what model phone you choose for the purpose of what we're doing, and the options may be slightly different based on which toolkit you download
5. Choose the option backup and restore your device
6. Choose backup all installed apps
7. Choose do NOT include system apps in the backup
8. Choose backup apk's AND respective app data
9. Choose do NOT back up internal storage data in backup
10. Wake your phone and it will ask you to start the backup, choose to do so
Once it is finished you will need to wipe your phone. It may work without wiping and just uninstalling touchdown and Mobileiron before proceeding to the next section, but I haven't tested this.
11. Connect your phone to your computer and enable android debugging
12. Browse to C:\Galaxy Nexus Toolkit (or whatever the name of your toolkit is under c:\)
13. Open the folder backups and rename the backup file to backup.bak. (if you don't see the file extension just name it backup)
14. Open the toolkit and choose a model
15. Choose Backup and Restore
16. Choose Restore apps from a backup file
17. type backup.bak and press enter
18. Wake your phone and choose to begin the restore
19. When it's finished, uninstall mobileiron, open touchdown and see if it's syncs!
ADB Method
adb backup -all -system -shared -apk
recovery> backup, wipe, flash rom, flash gapps, reboot
adb restore backup.ab
Requirements For ICS:
1. Rooted Android Phone running ICS based ROM
2. Titanium Backup (app installed)
3. Hide my Root (app installed)
4. Mobileiron (app installed but never run)
5. Touchdown (app installed but never run)
Instructions for ICS:
0. Make a Nandroid backup
1. Open Hide my Root
2. Choose hide SU binary
3. Press home
4. Menu, settings, apps, all apps
5. Choose Superuser.apk
6. Choose disable
7. Now open mobileiron and configure the settings per your company's instruction.
8. Set up your email in the Touchdown application and let it sync everything.
9. Open Hide my Root and choose restore SU Binary
10. Go back to menu, settings, apps, superser.apk and choose enable. (Its at the bottom when disabled)
11. Open Titanium Backup
12. Choose backup/restore from the top
13. Scroll to Mobileiron and tap it and choose freeze.
14. Profit
Now restore your nandroid backup before you get in trouble.
**Update** for Jelly Bean
It seems the builds out there for Jelly Bean use a new version of SuperUser that as of yet isn't compatible with Hide My Root. I wrote the developer of Hide My Root and he is looking into this but currently doesn't have a device running Jelly Bean to test on, so I took it upon myself to figure this out once again. I tested this and it does work. Again this was tested on a VZW Galaxy Nexus only.
Instructions for Jelly Bean:
0. Make a Nandroid backup!
1. Download MobileIron (App installed but never run)
2. Download Touchdown (or any apps that depend on MobileIron and do not launch them)
3. Download Titanium Backup (You may need the premium version to freeze apps)
4. Download SuperSU flashable zip from HERE and place on your SDcard.
5. From the app drawer launch SuperSU (that app already installed, not the zip you just downloaded)
7. Swipe 2 screens to the right to Settings
8. Choose Full unroot.
9. Install and configure MobileIron and dependent apps and let them fully sync.
10. Enable Airplane Mode
11. Reboot to recovery and flash the SuperSU zip you downloaded
12. Boot into Android, open Titanium Backup and freeze MobileIron
13. Turn off Airplane Mode
14. Profit
Now restore your nandroid backup before you get in trouble.
After a reboot all of the lockscreen options will reappear allowing you to have an insecure lockscreen.
This is great
You just saved me hours of frustration.
Thanks!
Thanks - this is a huge help!!
Question: does this work only with Touchdown, or any Android email client? (I prefer the app Enhanced Email).
SoCalNewb said:
Thanks - this is a huge help!!
Question: does this work only with Touchdown, or any Android email client? (I prefer the app Enhanced Email).
Click to expand...
Click to collapse
I have only tested this as posted. Make a nandroid backup and play around with it
How to re-enable superuser?
Made a nandroid backup. Followed instructions below. Works great, now I can synch email with MobileIron fortified corp server AND change the PIN lock requirement that MobileIron required! Thank you
Only one issue: I couldn't complete step 10 ("Go back to menu, settings, apps, superser.apk and choose enable"). Superuser was no longer in the "All" list under menu, settings, apps. As a result, I seem to have lost the ability to grant root access to new applications.
QUESTION: How do I re-enable superuser?
Notes:
- ADB: I can connect to device via ADB, but if I type "adb shell", and then type "su" at the "sh-3.2#" promot, no $ access is granted).
- Terminal Emulator: TE cannot get root (I type "su" at the "sh-3.2$" command, and TE says "Permission denied")
- Root Access - Old Apps: Any apps that previously had root privileges still do (Root Explorer can navigate to "/" and enable "Mount R/W", Wifi Tether still works, etc).
- Root Access - New Apps: New apps requiring root are not able to get root (no superuser prompt comes up)
- Re-Installing Superuser.apk: I tried using root installer to re-install superuser.apk (in the "/system/app" directory). It said it installed successfully, but still no superuser in the "All" list under menu, settings, apps.
- Re-Rooting: I tried re-rooting (using mskip's exceelend GNEX toolkit HERE), to no avail (process completes, but no superuser access).
If anyone can help me troubleshoot I would be extremely appreciative. I've tried to not be a helpless newb and to try a few fixes (above), but I would be ecstatic if one of XDA's Android ninjas could tell me how to re-enable superuser. Hoping to avoid comments of "restore nandroid backup and give up"
bhilgeman said:
1. Open Hide my Root
2. Choose hide SU binary
3. Press home
4. Menu, settings, apps, all apps
5. Choose Superuser.apk
6. Choose disable
7. Now open mobileiron and configure the settings per your company's instruction.
8. Set up your email in the Touchdown application and let it sync everything.
9. Open Hide my Root and choose restore SU Binary
10. Go back to menu, settings, apps, superser.apk and choose enable.
11. Open Titanium Backup
12. Choose backup/restore from the top
13. Scroll to Mobileiron and tap it and choose freeze.
Click to expand...
Click to collapse
SoCalNewb said:
Made a nandroid backup. Followed instructions below. Works great, now I can synch email with MobileIron fortified corp server AND change the PIN lock requirement that MobileIron required! Thank you
Only one issue: I couldn't complete step 10 ("Go back to menu, settings, apps, superser.apk and choose enable"). Superuser was no longer in the "All" list under menu, settings, apps. As a result, I seem to have lost the ability to grant root access to new applications.
QUESTION: How do I re-enable superuser?
Notes:
- ADB: I can connect to device via ADB, but if I type "adb shell", and then type "su" at the "sh-3.2#" promot, no $ access is granted).
- Terminal Emulator: TE cannot get root (I type "su" at the "sh-3.2$" command, and TE says "Permission denied")
- Root Access - Old Apps: Any apps that previously had root privileges still do (Root Explorer can navigate to "/" and enable "Mount R/W", Wifi Tether still works, etc).
- Root Access - New Apps: New apps requiring root are not able to get root (no superuser prompt comes up)
- Re-Installing Superuser.apk: I tried using root installer to re-install superuser.apk (in the "/system/app" directory). It said it installed successfully, but still no superuser in the "All" list under menu, settings, apps.
- Re-Rooting: I tried re-rooting (using mskip's exceelend GNEX toolkit HERE), to no avail (process completes, but no superuser access).
If anyone can help me troubleshoot I would be extremely appreciative. I've tried to not be a helpless newb and to try a few fixes (above), but I would be ecstatic if one of XDA's Android ninjas could tell me how to re-enable superuser. Hoping to avoid comments of "restore nandroid backup and give up"
Click to expand...
Click to collapse
When you disable superuser.apk in the apps list it moves it from the alphabetical order to the bottom of the apps list. Look there and see if its at the bottom of your apps list.
bhilgeman said:
When you disable superuser.apk in the apps list it moves it from the alphabetical order to the bottom of the apps list. Look there and see if its at the bottom of your apps list.
Click to expand...
Click to collapse
YOU ARE THE MAN.
That was so simple, but I spent an hour trying stuff and still missed it
My Android experience is back to awesome despite Mobile Iron - THANK YOU!!!!
Thanks for that. Great idea.
I followed your instructions but I had to switch 9 and 10 because Hide my root cannot restore a deactivated app.
But my TouchDown says "Synchronization Error" --> access denied (update your password). Maybe too strong policies?
And by the way: you have to use tintanium backup PRO to enable or disable apps
---------------------
Edit: I made a system application of "Hide my root" with TI Backup - works. I had to uninstall TI Backup now - currently TouchDown is syncing again. We will see if it works, next: I try to use LBE Privacy Guard... will report. Disabling "MobileIron" seems not working for me...
Hey, is not possible solve it on 2.X version of Andriod? Thanks...
OP Updated to reflect Changes for those running JellyBean. Long live the Android experience!
bhilgeman said:
The SU change needed for JellyBean makes this previous method unusable. I did however figure out how to still get to the same result if you're running JellyBean.
I will so an update to the OP soon to reflect this.
Click to expand...
Click to collapse
Looking forward to the instructions for making this work on JB
SoCalNewb said:
Looking forward to the instructions for making this work on JB
Click to expand...
Click to collapse
OP updated for JB instructions.
Sorry, I haven't tested this on a 2.x build so I'm not sure. If I get time I'll try to test this for you, I'm just super slammed with projects right now...
Will we appear "normal" on the Server that the app links us to our Corp acct??
Yes, you will appear as a non rooted phone. I just updated the JB instructions again. Realized I left out a step.
Anyone test this for Airwatch yet?
FWIW.....my experience has shown this to be merely a temporary solution, by itself. Yes...following the JB instructions will allow you to sync up just fine. But.....when mobileiron does not report back as device administrator, the red flags go up. My solution, thus far, has been to suspend root access on the phone, after reactivating mobileiron. In my case, after re-activating mobileiron, the app, itself, now FC's, which may be helping me out....not sure. At this point I seem to be able to continue remaining synced, without root access. As long as I use airplane mode before enabling root access to do root-type stuff, I seem to be fine. Word of caution, though....disabling root, seems screw up TB when I re-enable root. Specificaly...even though I have TB pro, it does not register after re-enabling root, so freezing and unfreezing mobileiron at will has not been possible. Could just be my system though.I recommend using airplane mode liberally if there is any doubt regarding your recognized root/non-root status. This definitely changes how I use the device, though, for sure.
makelegs said:
FWIW.....my experience has shown this to be merely a temporary solution, by itself. Yes...following the JB instructions will allow you to sync up just fine. But.....when mobileiron does not report back as device administrator, the red flags go up. My solution, thus far, has been to suspend root access on the phone, after reactivating mobileiron. In my case, after re-activating mobileiron, the app, itself, now FC's, which may be helping me out....not sure. At this point I seem to be able to continue remaining synced, without root access. As long as I use airplane mode before enabling root access to do root-type stuff, I seem to be fine. Word of caution, though....disabling root, seems screw up TB when I re-enable root. Specificaly...even though I have TB pro, it does not register after re-enabling root, so freezing and unfreezing mobileiron at will has not been possible. Could just be my system though.I recommend using airplane mode liberally if there is any doubt regarding your recognized root/non-root status. This definitely changes how I use the device, though, for sure.
Click to expand...
Click to collapse
I run your CM10 build on my nex7 and love it. Great to have navbar mods.
On my nex7 it took me a few tries to get it to stick but I finally got it. I hadn't updated a nightly for a couple weeks and when I did Mobileiron got me. I decided I don't care about getting work email on my tablet as much as I do my phone so no big deal. I freaking hate Mobileiron and touchdown nearly as bad.
On my galaxy nexus (running fitsnugly cm10) I don't have any issues. I flash the nightlies every day and I've gone a couple months without Mobileiron flagging me.
Sent from my Nexus 7 using xda app-developers app
bhilgeman said:
I run your CM10 build on my nex7 and love it. Great to have navbar mods.
On my nex7 it took me a few tries to get it to stick but I finally got it. I hadn't updated a nightly for a couple weeks and when I did Mobileiron got me. I decided I don't care about getting work email on my tablet as much as I do my phone so no big deal. I freaking hate Mobileiron and touchdown nearly as bad.
On my galaxy nexus (running fitsnugly cm10) I don't have any issues. I flash the nightlies every day and I've gone a couple months without Mobileiron flagging me.
Sent from my Nexus 7 using xda app-developers app
Click to expand...
Click to collapse
Skanklove!
I was completely under the radar, due to some corporate user configs, until I screwed up and raised the red flag. Then I had to encrypt, and install mobileiron. I was perfectly happy with touchdown until mobileiron got involved. I don't want work email on any device other than my work phone (toro). I can still run email without mobileiron, but no activesync and no email attachments......meh
Steps on ICS
Hello,
I am new to using mobileiron, as my corporation just started to use this program. Can I use your steps on ICS and keep my root undetected or will I eventually have issues. Last question, why is it necessary to restore your nandroid backup at the end?
Hi, I use root in all my devices from a lot of time but now I'm 41yo and no more interested in this.
I use root "now only" for
1) call recording (BCR);
2) SwifthBackup;
3) Revanced.
So, call recorder seems to be installed also without root: just put apk in system app directory!
... but, how I can move an apk in system directory without root or twrp, and with locked bootloader?
SwifthBackup can work without root? I don't remember but I can search.
Revanced isn't a problem, I can use with microG.
----
Any help about my doubts?
I want try also because VPN not work, and after a months of email with support "seems" can be related to unlocked/rooted device.
I want just try.
Ty.
Without root, Swift Backup can backup app APK files, but not the app data. It does allow you to grant adb permissions through Shizuku, but I never figured out what [if anything] that allows it to do. I wasn't able to backup app data with ADB privelages.
I don't know the answer to the Call Recording issue.
lupastro82 said:
Hi, I use root in all my devices from a lot of time but now I'm 41yo and no more interested in this.
I use root "now only" for
1) call recording (BCR);
2) SwifthBackup;
3) Revanced.
So, call recorder seems to be installed also without root: just put apk in system app directory!
... but, how I can move an apk in system directory without root or twrp, and with locked bootloader?
SwifthBackup can work without root? I don't remember but I can search.
Revanced isn't a problem, I can use with microG.
----
Any help about my doubts?
I want try also because VPN not work, and after a months of email with support "seems" can be related to unlocked/rooted device.
I want just try.
Ty.
Click to expand...
Click to collapse
I imagine that, once you move that .apk to the system app directory (while rooted), once you unroot, it should still stay there and probably be accessible; but I'm unsure whether successfully running it will be possible -- it depends on the call recording app and if the app requires root to run. If it doesn't and it simply needs root just to be inserted, then I imagine it would probably work if you unroot.
But I have never heard of this method of getting a mod or add-on to work by inserting it in the system app directory...it's fascinating...
Like you said, ReVanced doesn't necessarily need root to work; it just works better with it. Swift Backup will only in a basic way be able to back your device up without root access.
But if you are simply just trying to get a certain VPN to work -- and in the end you don't want to lose root -- you could try doing the numerous root-hiding methods. There are many games, banking apps, and streaming apps that won't work with root (without even giving you a warning that it's because of root detection sometimes) that, once you hide root successfully, are able to run it. It sounds like that could possibly be the case for your VPN.
There are these you can try (if you haven't yet); Zygisk Deny List, UniversalSafetyNetFix (Displax mod works best with P7P), Shamiko, HideMyApp, Magisk Delta, etc.
Also, please be aware (or reminded if you know already) that while unrooting will not wipe and reset your device, locking your bootloader requires wiping the device and you losing everything! You'll be able to get some stuff restored through Google One Backup/Sync, but most everything will need to be set back up and/or lost. And if all you are seeking is to get a VPN to work, I really highly doubt that the app/service goes so far as to detect if you have an unlocked bootloader; it seems there are some banking apps that go that far, but most apps out there don't go that far, and hearing a VPN does would be a first...
Good luck!
Just Google VPN. Do not work anymore from about two months and seems can be a root/unlocked issue.
Anyway, u're right. Ty so much.