SuperSU v2.74 BETA: Samsung Security Policy Updates, and N Preview 3

Let me just start off by noting that SuperSU v2.74, as well as the previous version 2.72, are fully compatible with Android N Preview 3. So if that is all the information you were looking for, there you have it.

Samsung Security Policy Updates

A few days ago many Samsung users suddenly lost root after their devices received a security policy (SELinux) update. As was to be expected, many posts followed about the evils of Samsung and their breaking of root on purpose. Of course the reality of the situation is far less dramatic: any security policy update using this mechanism would have broken root, regardless of the content of said update.

This issue has been expected to occur for quite some time, but Samsung had not pushed this type of update wide enough before that it could be caught and analyzed.

Now that I've finally been able to play with it, this new version of SuperSU blocks these policy updates completely, and keeps you on the SELinux policy version embedded in the boot image (with SuperSU's modifications).

There are several reasons why the update is blocked, rather than patching it with SuperSU's needed changes:

- Samsung's policy updates are loosely based on provisions inside AOSP to do exactly this, but they have modified it enough that it has become non-standard, and other OEMs may have done the same. As such there is no easy generic way to reliably catch and modify these updates across the board before they are applied.

- It is my understanding that the security policy update mechanism in AOSP has been deprecated as of N. Probably in favor of just updating the boot image altogether (which includes these policies) via the now monthly OTA (and future seamless?) updates. Keeping that in mind, writing a bunch of extra code just to catch this edge-case that will probably not be relevant for more than a few months, seems like a waste.

Fixing lost root due to the security update

In theory, fixing root is as simple as flashing the new SuperSU v2.74 BETA ZIP file in TWRP, or using the updated CF-Auto-Root for your device.

In practice, this will not work for a fair share of users. To re-systemless-root using SuperSU ZIP's or CF-Auto-Root, if you have already been rooted, requires the stock boot image to be restored. Both methods create a backup of the stock boot image before applying root. During testing of this fix however, it became clear that a lot more users than I had expected managed to somehow lose this backup (clearing cache, factory reset, etc).

If this backup is no longer on your device, neither flashing the SuperSU ZIP nor re-applying CF-Auto-Root will fix the issue, as both installations will fail.

If you happen to have a TWRP backup of the boot image, you can restore that. Otherwise, the only solution is to find your stock firmware on a site such as, and either flashing it completely, or extracting the boot.img and manually flashing that, before re-rooting.

For completeness sake, note that you can get rid of the security policy update by deleting the /data/security/spota folder, if you have any way of doing that - which most users who lost root will not.

Ramdisk backups

To reduce the impact of lost boot image backups for the future, starting v2.74, the SuperSU ZIP installer (and thus also CF-Auto-Root) will backup changed files in the boot image ramdisk to the ramdisk itself.

While this backup is not good enough to restore your original boot image to the exact state required to perform an incremental OTA, it should be good enough to be able to re-flash SuperSU even if the full boot image backup got lost - though I make no claims as to what happens if you mix it with custom kernels.



SuperSU BETA thread on XDA:

SuperSU subforum on XDA:

All CF-Auto-Root's have already been updated with this new version of SuperSU:

- supolicy/sukernel: Prevent security updates to SELinux from being applied
- sukernel: backup and restore modified ramdisk files, to be able to re-root if boot image backup got lost
- ZIP: Only show TWRP warning on TWRP v2.x
SuperSU is the Superuser access management tool of the future ;)

!!! SuperSU requires a rooted device !!!

SuperSU allows for advanced management of Superuser access rights for all the apps on your device that need root. SuperSU has been built from the ground up to counter a number of problems with other Superuser access management tools.

Features include:

- Superuser access prompt
- Superuser access logging
- Superuser access notifications
- Per-app notification configuration
- Temporary unroot
- Deep process detection (no more unknowns)
- Works in recovery (no more segfaulting)
- Works when Android isn't properly booted
- Works with non-standard shell locations
- Always runs in ghost mode
- Wake on prompt
- Convert to /system app
- Complete unroot
- Backup script to survive CyanogenMod nightlies
- Icon selectable from 5 options + invisible
- Theme selectable from 4 options
- Launch from dialer: *#*#1234#*#* or *#*#7873778#*#* (*#*#SUPERSU#*#*)
NOTE: Not all phones take both codes. On some phones you need to use single *# instead of double *#*#

The Pro version additionally offers:

- OTA survival mode (no guarantees)
- Full color-coded command content logging (input/output/error)
- Per-app logging configuration
- Per-app user override
- Grant/deny root to an app for a set amount of time
- PIN protection
- Per-app PIN protection
- Adjust auto-deny countdown

The discussion and support thread can be found on XDA-Developers here:

This is meant to replace Superuser (if installed), you use either one or the other. You cannot combine them. Statements that this breaks Superuser are therefore completely nonsensical.


Superuser access management runs through a so called "su binary". There can be only one of these at a time. So if you install SuperSU, your previous superuser access management solution will no longer operate. So if you want to switch back: (1) Open that application, and search for an option for it to install/update/replace the "su binary". (2) Confirm root-using apps are using the superuser solution you want. (3) Uninstall SuperSU.

Want to help translate SuperSU ? See !

These are completely optional and more like donations. They do not unlock any functionality.
See available APKs
There's a more recent version available below!

This release may come in several variants. Consult our handy FAQ to see which download is right for you.

May 26, 2016
Android 2.1+
All Releases
January 1, 2018
October 1, 2017
September 18, 2017
August 13, 2017
May 29, 2017
May 25, 2017
May 24, 2017
March 23, 2017