Android - What is the default Android Root Password?
root in Linux (or any Unix-like system) is just the user with User ID 0. The su program (which actually stands for "Switch User", not "Super User") is just a program to start another program with a different user ID than the starting program (by default to uid 0, which is to user root). Android does not use the traditional /etc/passwd, however it still uses Linux User ID and Group ID for managing permissions.
If you want to intercept su requests so you can ask for password or enforce other rules, you will need to replace /sbin/su with your own version of su. Alternative approach is the one described here: http://www.koushikdutta.com/2008/11/fixing-su-security-hole-on-modified.html though that will require applications to cooperate by firing an Intent when they want to switch user.
Android security framework is more or less like this: each installed application runs on its own User ID (selected at installation time), and application permissions is implemented as user groups.
Can i change the root password after rooting my android device by simply typing "passwd"?
Android does not use /etc/passwd so it also does not have passwd
program.
how is the rooting process working ? i mean what is the "one click root" apps doing to my phone?
I'm not quire sure with the exact process myself, you probably want to ask to rooting developers. However, my guess is it just reverts the security check that originally prevent developer from setuid 0.
And im a developer, so how can i find hidden APIs (like iOS) for rooted app development ?
Since Android is open source, there is no truly hidden API in Android. However, there are some unpublicized or undocumented APIs, you can browse for this in Android's source code. However, these APIs are not about root developments, they're usually in-development APIs that are not ready yet or is too localized for specific purpose that is not useful for public developer (or perhaps Google just haven't realized their usefulness yet). You are not restricted from using these APIs, but since these are not an officially supported APIs, they may disappear or break backward compatibilities in the future. If you need to use these APIs make sure your app breaks gracefully.
Not a dev, but here's my best stab at an explanation as I understand it (assuming I've understood your question). Hopefully I'm not too far off the mark...
All the 'rooted' ROMs I have used manage root access user the SuperUser application - i.e. when you start an app that wants to run with SuperUser privileges, the SuperUser application will prompt the user to grant the 'root' application these permissions. The SuperUser application then maintains a white-list of apps that have been granted these permissions.
This is the same for Console emulators, etc, so you grant access to the console application - you don't need to enter a password within the emulator.
I don't think you need to worry about the root password for this.
With regards to hidden APIs - I don't think they are "hidden" as such, as the Android OS is open sourced in the first place.