Sicurezza

The Internet’s Horrifying Way to Get Google Apps on Huawei Phones

Wu goes on to say, “At this point, it is pretty obvious that Huawei is well aware of this “LZPlay” app, and explicitly allows its existence. The developer of this app has to somehow be aware of these undocumented APIs, sign the legal agreements, go through several stages of reviews, and eventually have the app signed by Huawei.” I would like to add that, remember, this was all finished at least three days before the public launch of the Mate 30. Lzplay somehow knew enough about all of this well in advance of the launch and had time to build an app, go through Huawei’s whole process, and launch a website. Once again: Hmmm.

Huawei has already been asked if it is behind Lzplay, and honestly, at this point, that would probably be the best-case scenario, given how powerful Lzplay is. Huawei shot down this idea, though, and gave the following statement to Android Central: “Huawei’s latest Mate 30 series is not pre-installed with GMS, and Huawei has had no involvement with www.lzplay.net.”

Further research is not really possible right now, since, as Wu writes, the Lzplay app is “obfuscated/encrypted by QiHoo Jiagu (奇虎加固), and is non trivial to reverse engineer.” So somebody went out of their way to hide exactly what Lzplay is doing, so we have no idea how it works or who made it.

Lzplay and the Mate 30’s Unsettled Future

The whole time I’ve been writing this article, I’ve been occasionally refreshing Lzplay.net to see if it is still alive. Sometimes it is up, sometimes it is down, sometimes the app download works, and sometimes it doesn’t. The site certainly seems to be going through some difficulties right now. It is not known why.

The Google ecosystem also seems to be crumbling around the Mate 30 as I write this. Once flashed with the Google apps, the Mate 30 inexplicably passed Google’s “SafetyNet” device integrity checks on early review units, which is needed to run high-security payment apps like Google Pay and some banking apps. As Google’s documentation says, SafetyNet exists “to help determine whether your servers are interacting with your genuine app running on a genuine Android device,” so under no circumstances should the Mate 30 have ever passed. The phone did not pass the Android CDD and therefore is not an Android device (Google owns the trademark), and SafetyNet exists specifically to stop modified and rooted versions of Android from accessing certain apps.

Yesterday, the Mate 30 suddenly stopped passing SafetyNet checks, and Google Pay and other banking apps stopped working. Why it ever passed in the first place was a mystery. But it’s worth noting, after working for a week, it stopped passing SafetyNet sometime after Wu flagged the app on Twitter. Maybe Google was listening?

For now, the Mate 30 is only available in China, and with most Google servers blocked in China, this whole debacle can’t be that widespread of a security concern. Huawei doesn’t really do business in the US, but it has a huge presence in Europe, where it is the number two smartphone vendor, behind Samsung, with 18% marketshare. While there’s no official launch date yet for Europe, the Mate 30 Pro shipping to Europe seems like a forgone conclusion. If Lzplay is allowed to survive when the Google-less phone comes to a territory that needs the Google app, we could see a number of people turn their phone over to an unknown entity just for access to those sweet, sweet Google apps.

If a Huawei-aligned entity created Lzplay for the purposes of alleviating Google app anxiety for potential Mate 30 customers, it really seems to have backfired now. The future state of apps like Google Pay is in flux, and Lzplay highlights just how shady and compromising life outside the Google ecosystem can be. Huawei could fix all of this by giving users full control over their devices and allowing them to unlock the bootloader, so normal Google app flashing techniques would work, but so far, it doesn’t seem to want to do that.