everythingpossible - stock.adobe

Google warns users not to mess with Huawei devices

Google tells users of Huawei devices to try to avoid bypassing controls preventing them from loading its apps

Google has warned owners of Huawei smartphones not to try to bypass the controls placed on them to install Google’s apps on their devices, saying that because their security cannot be guaranteed, they run the risk of inadvertently installing a malicious app masquerading as a legitimate one.

Huawei was placed on the US government’s Entity List in May 2019, effectively banning US companies from doing business or collaborating with it.

Almost immediately, Google blacklisted Huawei and cut it off from the Android ecosystem for future updates. Now that more new devices are becoming available and the next iteration of Google’s operating system, Android 10, is becoming widely deployed, Google is becoming more stringent in its approach to Huawei.

In a post on Google’s Android support forums, Tristan Ostrowski, Google’s Android and Play legal director, said that to protect user data privacy and security, the Google Play Store, Google Play Protect, and core apps such as Gmail, Maps and YouTube can only be made available to Play Protect certified devices.

“Play Protect certified devices go through a rigorous security review and compatibility testing process, performed by Google, to ensure user data and app information are kept safe,” said Ostrowski. “They also come from the factory with our Google Play Protect software, which provides protection against the device being compromised.”

Because new Huawei devices made available to the public since May 2019 cannot go through the certification process, nor can they have Play Protect preloaded, they now cannot utilise Google’s apps and services, said Ostrowski.

This includes the Chinese company’s newly launched premium handset, the foldable Huawei Mate Xs, which will retail in Europe for €2,499.

Ostrowski warned owners of new Huawei handsets not to try to get round the restrictions by “sideloading” Google apps.

Sideloading is the practice of installing apps on a device without using the official app distribution method. It is relatively simple to do on an Android device – users simply need to check a box in the OS settings – but much harder on an Apple iOS device, which must first be jailbroken. Once it is enabled, users can download and install apps from any website or third party.

“Sideloaded Google apps will not work reliably because we do not allow these services to run on uncertified devices where security may be compromised,” said Ostrowski.

“Sideloading Google’s apps also carries a high risk of installing an app that has been altered or tampered with in ways that can compromise user security.”

Read more about mobile security

Positive Technologies CTO Dmitry Kurbatov said the warning shone a spotlight on the wider mobile app threat landscape, particularly in relation to Android devices.

“Android phones allow users to install apps from unverified sources, which are highly risky as these apps can be exploited by threat actors,” he said. “Insecure interprocess communication (IPC) is a common critical vulnerability, allowing an attacker to remotely access data processed in a vulnerable mobile application. Our research also shows that 75% of Android applications have higher vulnerabilities compared to 30% of iOS applications.

“Subscribers need to vet an app and trust the app developer before installing a new app. Users need to make sure they download software from verified sources only, check a developer's history and always check the permission settings before installing. If the developer has created other apps with suspicious names, such as ‘Wi-Fi booster’, ‘Easy Root’ or ‘Funny Videos’, then it might not be a trustworthy one.”

Kurbatov added: “To keep safe, it’s good to check online reviews of the application before installation. If you see the app was mentioned as suspicious by even one user, don’t install it.”

Ostrowski said Google was committed to protecting the security of its existing Huawei user base, and continued to work with Huawei in compliance with US government regulations on existing devices.

“We will continue to do so as long as it is permitted,” he said. “To be clear: US law currently allows Google to only work with Huawei on device models available to the public on or before 16 May, 2019,” he said.

Huawei owners can check whether their device is certified by opening the Play Store app, tapping “Menu” and looking for “Play Protect certification”’ under “Settings”.

Read more on Endpoint security