The Mate 30 Pro is a gorgeous phone, but it’s also very hard to recommend because it officially lacks access to Google apps and the Play Store. Unofficially, an easy-to-use solution to “re-Google” the Huawei Mate 30 Pro has been available from day one. Not anymore though.
LZPlay.net, the Chinese website hosting the tool for installing the Play Store on the Mate 30 Pro, is now offline. The likely reason is the media attention LZPlay received after Magisk developer John Wu detailed exactly how the tool works.
According to Wu, LZPlay uses an “undocumented API” found on the Mate 30 Pro that gives it deep access to the system. This special access is needed because many Google apps need to be installed as system apps, which usually requires the presence of so-called app “stubs” on the device. Because Huawei is banned from working with Google, there are no Google app stubs on the Mate 30 Pro.
LZPlay doesn’t require stubs – instead, the app uses the previously mentioned API to make system changes. According to Wu, access to the API is controlled by Huawei:
According to the all-in-Chinese documentation, 3rd party developers/companies are required to sign legal agreements and send them to Huawei in order to gain access to the SDK. For each project, the developer will have to submit a request, along with justification, a list of the permissions willing to be granted. In addition, the APK binary for each release has to be uploaded to Huawei for further examination, which can then finally be signed with Huawei’s special key.
In other words, Wu thinks that Huawei explicitly allowed LZPlay to work by granting it access to the special API for making system changes.
When we contacted Huawei for comment, the company sent us this brief statement: “Huawei’s latest Mate 30 series is not pre-installed with GMS, and Huawei has had no involvement with www.lzplay.net.”
Within hours after John Wu published his post, the LZPlay website went offline. We don’t know exactly what happened, as Huawei denies having any involvement with it and we don’t know the owners and operators of the website. It’s likely that the LZPlay app itself still works.
Adding another wrinkle to the story, Android Central’s Alex Dobie said on Twitter that the Mate 30 Pro no longer passes SafetyNet, even if it passed the Google security test last week.
Soooo uhh this is new.
Since today’s developments, Mate 30 Pro now fails SafetyNet. Last week it passed.
What the what pic.twitter.com/fPeaWUHD2v
— Alex Dobie (@alexdobie) October 1, 2019
Soon after, 9to5Google’s Damien Wilde noted that the phone can no longer run Google Pay, which again, was possible just a few days ago.
So as per @alexdobie original tweet. Failed CTS check = no more Google Pay working. So I tested.
But considering this was working less than 2 days ago, this is not good. pic.twitter.com/0E8pGNtY97
— Damien Wilde (@iamdamienwilde) October 1, 2019
It’s not clear what happened – it’s not even clear how the Mate 30 Pro passed SafetyNet in the first place, considering SafetyNet is not supposed to pass on devices with modified system software.
For now, this whole saga affects only a tiny number of people anywhere in the world: journalists who received the Mate 30 Pro for review and customers outside of China who have somehow managed to import a Chinese Mate 30 Pro. The phone is only on sale in China, where nobody uses Google apps anyway.
If you were hoping to import a Mate 30 Pro or to buy one once it launches in your local market, you should know that LZPlay is no longer a solution for getting Google apps on the device.
Even if you could get hold of the app somehow, we can’t recommend using it. If John Wu is right about his findings, the app was somehow whitelisted by Huawei for it to work. Even if you trust Huawei and their verification system, it remains unclear what LZPlay actually does to your phone. Also, it’s not inconceivable that the API will be targeted by hackers looking to get access to Huawei devices. As Wu put it,
This undocumented API is not the ‘OMG Huawei is spying on us OMG’ kind of backdoor many media might wish to exist. It is protected behind rigorous verification on Huawei’s side and requires user interaction to allow the permission to be granted. Nevertheless, only Huawei knows the intent to create such API and allow the existence of ‘LZPlay’, and it is up to anyone’s imagination.
Installing LZPlay was always a bit risky, but it’s becoming even riskier now. It’s possible the APK file will be rehosted on other websites, but that raises new questions about the authenticity of the rehosted app. The safest thing to do, for now, is to stay away from it.