Huawei didn’t mince words during the Mate 30 Pro event a few days ago when it came to talking about the Android OS the new phones will run. The company explained it can use any of Google’s apps because of the ban. Huawei further announced that its own Google Play store alternative will operate on these devices, and revealed it’s ready to invest some $1 billion to make that ecosystem a viable alternative to Google’s. That sounds great in theory, but in practice, any Mate 30 Pro buyer from the US (if you can get it) and Europe wants Google apps preinstalled, particularly the Play store, Google Maps, and YouTube. Soon after the Mate 30 event, it was discovered that you only need 10 minutes to install all the Google Android apps you love, and turn the Mate 30 Pro into the flagship it should have been without the ban. But that avenue is no longer available to buyers, as a security researcher figured out how the whole thing works, concluding that the workaround might also be a security issue.
John Wu explained on Medium how it’s possible to install Google’s suite of apps on the handset:
The currently widespread method to install Google Services on newly released Huawei devices relies on undocumented Huawei specific MDM APIs. Although this “backdoor” requires user interaction to be enabled, the installer app, which is signed with a special certificate from Huawei, was granted privileges nowhere to be found on standard Android systems.
It’s important to note that the “backdoor” mentioned above isn’t the kind of backdoor you’d expect, the kind that intelligence agencies would flag for its ability to spy on the user — again, from Wu:
This undocumented API is not the “OMG Huawei is spying on us OMG” kind of backdoor many media might wish to exist. It is protected behind rigorous verification on Huawei’s side and requires user interaction to allow the permission to be granted.
Wu explained that the Chinese app that lets you install Google apps on the handset basically gave these apps system apps status. And Google apps are system apps on regular Androids sold in markets where Google is allowed to do business:
For some reason, Huawei has undocumented MDM APIs that allow apps to install system apps and install undetachable apps. It is a well-known trick among Android enthusiasts to “flash an app into system” to unleash system privileges for some specific app; however, in this case it is certainly not the same thing because a. the bootloader is locked and Android Verified Boot is enforced; b. Huawei format their system/vendor/product partitions as EROFS, a read-only, compressed filesystem. This means the system framework in Huawei’s OS has a “backdoor” that allows permitted apps to flag some user apps as system apps despite the fact that it does not actually exist on any read-only partitions.
Wu concludes that Huawei must have reviewed this LZPlay app, and “explicitly allows its existence.”
Back when we found the app, we warned you that the entire process relies on you trusting a Chinese app to pull off the Google magic. At the same time, we told you that Huawei can’t afford a security scandal just as it’s trying to prove to the West that it’s a trustworthy company.
Huawei told Bloomberg that it had no involvement with the LZPlay app.
Even so, the app is no longer available to download, which means you can’t install Google apps on the Mate 30 Pro using this workaround.
Soooo uhh this is new.
Since today's developments, Mate 30 Pro now fails SafetyNet. Last week it passed.
What the what pic.twitter.com/fPeaWUHD2v
— Alex Dobie (@alexdobie) October 1, 2019
So as per @alexdobie original tweet. Failed CTS check = no more Google Pay working. So I tested.
But considering this was working less than 2 days ago, this is not good. pic.twitter.com/0E8pGNtY97
— Damien Wilde (@iamdamienwilde) October 1, 2019
Furthermore, after Wu’s discovery, the Mate 30 Pro running Google apps lost its SafetyNet certification, which is one requirement to use Google Pay. Per 9to5Google you can’t use Google Pay any longer on the Mate 30 phones, although it was possible to do so previously.
