KUALA LUMPUR, Oct 3 — Huawei Mate 30 series is launching in Malaysia tomorrow. Although it won’t be shipped with Google Mobile Services out of the box, there was a third party workaround that lets you install Google apps and Play Store easily.
Unfortunately, this quick backdoor workaround has been disabled.
Previously, all you’ll have to do is to visit https://www.lzplay.net/#/ and install an APK to enable Google Mobile Services, however, this website is no longer accessible.
Even if you still have the APK file, it won’t work anymore and it will show a connection error.
So if you’re planning to pick up a Huawei Mate 30 and Mate 30 Pro, getting it to work like a typical Android smartphone won’t be as easy as expected previously.
You could sideload apps but there’s no guarantee that it will work as it lacks the Google framework.
On top of that, getting apps outside the Play Store does have its own risk and this can be an issue for non-tech savvy consumers.
Backdoor raises security concerns
Android security researcher, John Wu, has raised some concerns with the LZPlay workaround. He explained that sideloading Google Mobile Services (GMS) for Chinese devices is quite common but this is usually normal for devices that are using Google licensed system image.
He added that system apps and user-installed apps are treated differently on Android. Some GMS packages must be installed as system apps because it requires permissions to function properly.
Users can upgrade the system apps via Play Store or manual sideloads provided that the update is signed with the same key as the original version in the system.
He mentions that signature verification is important as it prevents attackers from distributing malicious updates.
Most OEMs will include GMS “stubs” in the system which enables you to activate Google apps and service but they need to be signed by Google for it to be compatible with the actual GMS APKs. When he heard that a random APK can install GMS on the Mate 30 Pro, he was quite surprised.
He speculated that this could either mean that Google is quietly giving stubs to Huawei or Huawei is blatantly stealing Google’s stub binaries.
Long story short, he concluded that Huawei is well aware of this “LZPlay” app and they explicitly allowed its existence.
He alleged that Huawei’s OS has a backdoor to allow such apps from getting additional privileges.
From a security standpoint, he said such backdoor should never exist and it is susceptible to malicious tampering. You can read John Wu’s full article here.
When Android Central reached out to Huawei on its involvement with LZPlay, they issued the following statement:
Huawei’s latest Mate 30 series is not pre-installed with GMS, and Huawei has had no involvement with www.lzplay.net
To make matters worse, Alex Dobie from Android Central has discovered that his Mate 30 Pro unit has recently failed the SafetyNet test.
Previously, it had passed and early reviewers were able to use their Mate 30 Pro for Google Play.
SafetyNet is a component under Google Play services that assess the health and safety of your Android device. This helps Google to ensure that the device is secure and not rooted.
Google Pay has stopped working on the Mate 30 Pro starting today as it has failed the CTS profile check. You can check out the video below:
So as per @alexdobie original tweet. Failed CTS check = no more Google Pay working. So I tested.
— Damien Wilde (@iamdamienwilde) October 1, 2019
But considering this was working less than 2 days ago, this is not good. pic.twitter.com/0E8pGNtY97
With the current situation, Huawei has hit yet another brick wall and hopeful buyers will be limited to apps that are listed on Huawei’s AppGallery.
Without an easy and official way of getting Google apps and services, it will be tough to recommend the device for now. Are you still considering the Mate 30 Pro? Let us know in the comments below. — SoyaCincau
