Ever since the US government added Huawei to its Entity list last May, and issued a number of temporary exemptions and extensions since, we’ve wondered and speculated about the extent to which the companies are still allowed to work together on existing and new devices.
Today, Google’s Tristan Ostrowski (Android & Play Legal Director) issued a statement on the company’s Android Help website that details some specifics about what they are and aren’t allowed to do, and addresses the somewhat common practice of sideloading apps to add functionality that users want on new phones.
Firstly, the statement specifically says that they are not allowed to collaborate with Huawei. They do point out though that they continue to work with Huawei on security updates for existing devices that were in-market before May 16 2019 and will continue to do so while they are allowed to do so.
This does make us wonder exactly what’s happening around security updates for Huawei’s existing products.
Previously we’ve surmised that Huawei would draw Android’s security patches from AOSP and apply them themselves on a regular basis without Google’s involvement, and that assumption really still stands. It sounds like Google’s still involved in the security update process, however. Maybe it’s a case of taking help while it’s available.
It’s worth noting at this point that my P30 Pro hasn’t moved past the December 2019 security patch level, though. Ausdroid no longer has a Mate 30 Pro to check its security patch level.
New devices, and the perils of sideloading
Ostrowski’s statement is far more detailed on new devices – this covers things the Mate 30 Pro, released in the later half of 2019 and one of the most prominent Android devices to ever ship without Google’s apps and services. It’ll also cover Huawei’s looming P40, and other new devices from the company (like their popular midrange Nova series) going forward.
The common practice on these devices is to sideload a bunch of services and apps obtained from places on the internet that don’t start with google-dot-com, because Google only makes these things available to certified manufacturers.
The sideloading conundrum
Last year we saw a popular installer for these apps disappear around the time the Mate 30 was released, after media and customers (rightly) raised questions about who owned the domain from which the apps were being downloaded, and how anyone could verify that they were installing.
Establishing whether you can trust a download source for sideloading is a common problem for which the only real solution to this day is personal preference and judgement. Ausdroid will always trust APK Mirror, for example, but that site with a bunch of letters and numbers in its domain name? Possibly sketchy.
For some, accessing Google’s apps and services on their shiny new phone is more important than consideration of the security implications of doing so. It shouldn’t be that way.
Google Play Protect Certification
Let’s get back to the statement at hand. Today’s update from Google contains this callout, in bold type:
Due to government restrictions, Google’s apps and services are not available for preload or sideload on new Huawei devices.
Except they are … you can sideload the apps right now, and they work. Mostly, anyway. Google really doesn’t want you to do so for the sake of your own security though, lest you end up sideloading Google apps modified by a malicious actor that compromises your personal data, and you might not even know it’s doing so.
It seems that Google might leverage its Google Play Protect certification process to stop you from doing so.
Obviously, as Google’s not allowed to collaborate with Huawei on new devices, they’re not allowed to certify them for Play Protect, which Google says can make its apps unreliable because the host device isn’t certified.
It seems that Google might lock down its apps in the future to only work on certified devices, something we thought might be a possibility back when we examined sideloading this all onto the Mate 30.
Simply put: While sideloaded Google apps might work today, there’s no guarantee they’ll continue to do so tomorrow.
For us, this makes any new devices without preloaded Google apps and services (like the forthcoming P40) extremely hard to recommend, regardless of how kickass its camera promises to be. It also goes some way to explaining why Huawei is sending updated models of the P30 and P30 Pro into market, since they can still be sold with Google apps and services.
Back at the beginning of all this fracas, we hoped that Google might establish an official, secure way to allow device owners to its apps and services on Android devices that shipped without them. It’s still our hope that the company may do so for the sake of user security, but it sounds like such a solution is increasingly unlikely.