Since Google Services Assistant was a workaround to install Google Apps on a device not meant to have Google Apps, how exactly this workaround came to be was a legitimate question.
Chinese OEMs in the past have released GMS (Google Mobile Services) installers to allow easy sideloading, but such a solution was not a practical possibility for Huawei, in light of the unprecedented and complex political scenario. These GMS installers worked by updating GMS “stubs” that had been preloaded within the system by the OEM (GMS apps need special permissions to run properly, and this permission exists only for system apps). And as you already know, apps on an unrooted device can be updated on top of existing apps only when they have been signed by the same signature. Thus, the stubs and the apps have to come with the same Google signature, essentially precluding Huawei from preloading Google-signed stubs because of the US ban.
Once we got our hands on the software from the device, we found out that the devices did not actually come with any preloaded GMS stubs. This indicated that whatever method that Google Services Assistant used to install Play Services was out-of-the-ordinary and worthy of further investigation for possible uses within the development community. XDA Recognized Developer topjohnwu, known for his work with Magisk, investigated into this anomalous behavior.
As it turns out, Google Services Assistant utilized a set of APIs from Huawei that were intended for mobile device management (MDM — used by enterprises to manage employee devices). The full API reference of this Huawei Security Authorization SDK has been available to the public, so enterprise users can know and benefit from the full range of control methods over devices in their business organization. The real twist comes in the form of some MDM APIs that only very recently got documented, and the documentation is not available until you sign legal agreements to get access to the SDK.
<uses-permission android:name="com.huawei.permission.sec.MDM_INSTALL_SYS_APP"/> <uses-permission android:name="com.huawei.permission.sec.MDM_INSTALL_UNDETACHABLE_APP"/>
These MDM APIs allow permitted apps to install “system apps”, even when the phone has a locked bootloader, has Android Verified Boot enabled, and is formatted with Huawei’s read-only filesystem EROFS. What actually happens is that a permitted app, Google Services Assistant in this case, is allowed to flag user apps as non-removable system apps even when those apps or stubs do not actually exist on the read-only partition. “Permitted apps” are allegedly tightly controlled by Huawei — the developers have to sign legal agreements, submit requests for permissions and justifications for the permissions requested, and send the APK binary for each release to Huawei for inspection. Only if and when Huawei agrees, will the app be signed with Huawei’s special key, allowing it to make use of these APIs.
As one would expect in light of the complex political scenario, Google Services Assistant and LZPlay’s existence was going to be shortlived. As the workaround gained popularity, interested parties seemingly took notice. The website hosting Google Services Assistant, LZPlay, has been taken offline, sideloading the Google Services Assistant app no longer fetches the Google apps and it is also possible that the special permission the app had from Huawei may have also been revoked. Google must have also taken notice, as SafetyNet also received an update that revoked the Huawei Mate 30’s build fingerprint from their whitelist, meaning that SafetyNet will fail, disallowing units which had managed to sideload Google Apps from being able to use apps like Google Pay.
The ability to run Google apps is a big deal for many, so people will perennially be interested in sideloading Google Apps on such capable hardware. XDA Senior Member zhangyang_haha has figured out a different workaround, one that essentially involves restoring a backup image from a device that managed to install Google apps using Google Services Assistant from back when the method worked. Also, note that the method appears to be specific to the Huawei Mate 30 Pro as the backed-up image is from that device — we were unable to confirm if the same could work on the Huawei Mate 30 or the Honor 9X Pro.
While this method is not as simple as installing Google Services Assistant and letting it do everything, it still works — with the caveat that SafetyNet will continue to fail since that is a server-side change from Google.
- Users need to back up their files to HiSuite on a PC and factory reset their phones.
- Install the Google apps provided in the downloadable zip in the thread.
- Unzip the provided backup image zip to your HiSuite backup folder on the PC.
- Restore the backup to your device, ensuring that you also restore the “system settings” from the backup image to your phone.
- Once the provided backup has been “restored” (aka installed) on your phone, you need to restart your device.
- Next, ensure that you get into App Settings and clear all data for the Google apps that you installed, and grant all the permissions that those apps request.
- Reboot for good measure.
- Launch the Google Play Store while having an active internet connection on your phone.
The thread is not immediately clear on when you can restore your previous data. Most users will be using the method on new Huawei Mate 30 devices, so data loss should not be significant. Do note that SafetyNet will still fail and will likely continue to fail until the political situation improves. For now, if you are looking to install Google Apps on your new device, this new workaround is your best bet.