Google Shuts Huawei 'Backdoor' for Play Store Apps on Mate 30

(Image credit: Huawei)

While we've known for months that the Mate 30 series and other future Huawei devices will be officially blocked from using Google’s own Android apps and services, it quickly became apparent once pre-release units became available recently that there was a way around the U.S.-government-mandated block. Or, at least, there used to be.

To get Google's Android apps, many journalists and others with preview Mate 30s used a sideloaded app called LZPlay to supply the necessary Google Mobile Service (GMS) files to provide access to the Google Play store. 

However, Taiwan-based security researcher John Wu pointed out yesterday (Oct. 1) in a Medium blog post that these users were relying on a website with unknown ownership (it’s been traced to China) to install LZPlay, and that the users may have been confused about how exactly the process worked. 

Wu added that LZPlay used a hidden "backdoor" in Huawei system software to install and run the Google apps. The backdoor gave LZPlay full administrative control, which could theoretically have been abused by hackers -- or Huawei, or the Chinese government -- to install spyware or other malicious apps on user devices. (Ars Technica's Ron Amadeo called it "the biggest Android modding security nightmare I have ever seen.")

Following Wu's blog post, the website vanished, and Google began to label all Huawei Mate 30 phones as unsafe, which means none of the handsets will be running Google apps for the time being.

MORE: Pixel 4 and Pixel 4 XL Revealed in New Renders

Without full GMS files preinstalled, a device needs Google-verified "stubs" of these files present within its Android build to download and run them, Wu explained. This is how Android phones sold in mainland China can still install blocked Google apps if a user takes a phone out of the country.

Google digitally "signs" these stubs with a secret code so that they will not be used to install counterfeit or malicious clones of Google apps. The stubs are kept on a read-only storage partition that cannot be modified.

But in Huawei’s case, the U.S. government ban mandated the removal of these stubs. This prompted Wu to wonder if Google was breaking the ban by leaving the stubs in Huawei phones, or if Huawei had made some illicit copies of the stubs before being cut off. 

Clever, clever

Wu found that LZPlay used a third method. Instead of using Google's normal verifications to install and run Google apps, which would have failed, the LZPlay app bypassed them by using Huawei’s system permissions, which include two extra hidden options for high-level installation privileges. 

In other words, LZPlay used two secret Huawei files that no one else outside Huawei seemed to know about, and which no other app seemed to use.

"This means the system framework in Huawei’s OS has a 'backdoor' that allows permitted apps to flag some user apps as system apps despite the fact that it does not actually exist on any read-only partitions," Wu wrote.

What an interesting coincidence

While LZPlay and Huawei were not officially affiliated, Wu believes that Huawei was aware of and actively allowed LZPlay to operate, since Huawei requires developers to ask its permission before accessing its SDK (software development kit).

Hours after Wu put up his blog post exposing how LZPlay works, the site distributing the app was taken down, according to Bloomberg. And Google no longer certifies Mate 30 devices as "safe" in its SafetyNet system, which protects users and apps from security threats. 

Without SafetyNet activated, the majority of Google-approved apps won’t function at all. This means that even if another site like LZPlay came into existence, it would no longer be able to install working Google apps on the Mate 30 lineup.

We’re currently in the process of reviewing the Mate 30 Pro, and during testing we managed to get Google Play and various other apps running on the phone via the LZPlay method. 

While it was hard to recommend doing this anyway due to the unknown provenance of the files, the fact that there is now no way to make Google services work on the Mate 30 is a near-fatal blow to the device.

Huawei’s own apps, plus its own storefront, the App Gallery, are the smartest replacement for the Play Store and Google's apps, but the App Gallery is not currently optimised for users outside China. 

Unless this situation significantly improves in the next few weeks or months before the Mate 30 series is released in Europe, there’s no way we or anyone else will be recommending this phone to anyone beyond diehard Huawei fans.

Richard Priday
Assistant Phones Editor

Richard is based in London, covering news, reviews and how-tos for phones, tablets, gaming, and whatever else people need advice on. Following on from his MA in Magazine Journalism at the University of Sheffield, he's also written for WIRED U.K., The Register and Creative Bloq. When not at work, he's likely thinking about how to brew the perfect cup of specialty coffee.