Huawei promises to keep its phones updated with security patches no matter what — but it’s not clear how it can do this.
Late last week, Huawei sought to recover from the wave of bad publicity following its recent blacklisting by the U.S. government, with public statements of support for its products. In its “Huawei Answers” mini-site, the company mostly provides common-sense clarifications: Yes, your Huawei phone will still be able to use the Google Play Store. No, factory resetting it won’t get rid of Android or your Google apps. And the P30 series, among others, will indeed get Android Q.
The site also says Huawei will continue to keep current phones updated with security patches and software updates, even with the looming August cliff-edge for its temporary license to work with Google and certain other U.S. companies.
A crucial bit of backstory before we continue: Shortly after the initial ban in mid-May, Huawei was granted a temporary license from the government allowing it to continue to work with some U.S. firms. But this expires on August 19, and only applies to co-operation to support “existing products.” After that, if Huawei isn’t taken off the U.S. “entity list,” it would be unable to work with Google even for the purposes of updating and supporting existing devices.
As things stand, after August 19, Huawei won’t be able to work with Google at all.
Nevertheless, Huawei has promised to keep phones like the P30 supported with software and security updates, even with the very real possibility of not being able to legally work with Google from late August. How will it do this? Huawei surely has a plan, or it wouldn’t have made this public commitment. But so far it’s very, very unclear how the company will be able to provide this promised support.
All major Android versions hit the Android Open-Source Project (AOSP), where they can be downloaded and compiled by anyone. The same applies to Android’s monthly security patches. But as Ars Technica reports, even switching to open-source Android without any Google apps would likely see Huawei falling foul of U.S. export law, with consequences for anyone who sold these phones.
There’s also the question of Google’s Android compatibility testing suite, or CTS — a key part of updating the firmware on any phone with Google’s apps and mobile services.
Android’s Compatibility Testing Suite for new updates is a major headache for Huawei.
This is the collection of software tests designed to ensure that any new firmware for Android phones is secure, doesn’t break apps and generally has everything working as intended. While the CTS tests themselves are open-source, allowing manufacturers to ensure their code passes the tests internally, Google needs to sign off on any new firmware before it rolls out over the air. This applies to updates for any devices which ship with its GMS (Google Mobile Services) package, and by design it’s not something manufacturers are able to sidestep.
If Huawei remains on the U.S. entity list after August 19, it won’t be able to work directly with Google at all. No Google co-operation means no technical approval for new firmware updates. Could Huawei push updates to existing phones without Google’s approval? Probably not. From what we know of the Mobile Application Distribution Agreements signed between Google and manufacturers, passing CTS and being able to distribute Google apps go hand-in-hand. If Huawei tried to push an uncertified update, it’d likely find itself in breach of contract, and likely U.S. export law too.
Even if Huawei did choose to push uncertified updates, secure features like Google Pay and banking apps, as well as some DRM-enabled services, would break. That’s because Android’s built-in SafetyNet protections will alert these apps to firmware that’s been tampered with, or which doesn’t have Google certification. (This is the same hurdle which generally prevents custom ROMs and some beta firmware builds from working with Google Pay. It’s part of Google Android’s baked-in security.)
Huawei is boxed in by inconvenient legal and technological realities.
CTS, SafetyNet and the distribution agreements between Google and Huawei are pretty much the crux of the uncertainty around Huawei phones’ future right now. The technical and legal realities are stacked against the company.
So if Huawei can’t (or won’t) ship uncertified updates, and the company can’t work with Google to certify new updates after August 19, what are its options?
It’s been suggested that Google could just outsource its technical approval process to some third-party contractor outside the U.S., meaning it wouldn’t be dealing with Huawei directly. But this wouldn’t solve anything, since such a third party would quickly fall foul of U.S. law. As Ars’ article explains, going through a proxy doesn’t let you dodge export law. This is the same issue which dragged ARM, a British company dealing in American IP from U.S. universities, into the Huawei ban.
[youtube https://www.youtube.com/watch?v=0ZzQI7qvlz4?modestbranding=0&html5=1&rel=0&autoplay=0&wmode=opaque&loop=0&controls=1&autohide=0&showinfo=0&theme=dark&color=red&enablejsapi=1]
Besides which, the digital signatures for approved firmwares are stored on Google’s own servers. As such, any attempt to sidestep Google’s direct involvement would become incredibly messy, and potentially legally perilous, for all involved. You can’t disentangle Google from what is inherently Google technology and a Google approval process. And anytime you’re dealing with Google, you can’t avoid the restrictions enforced by Huawei’s place on the entity list.
You can’t disentangle Google from the Android update approval process.
Another possibility is Huawei patching in some alternative update mechanism while it still can, perhaps through its AppGallery store. This might work similarly to Google Play’s Play Protect feature, or a PC virus scanner. While this might provide an added layer of security, it would be no substitute for Android’s monthly security patches.
Yet another option, however unlikely, would be to offer existing phones an optional upgrade to Huawei’s nascent HongMeng OS once it’s available. Although as a Huawei-owned platform, U.S. app developers (like Twitter, Facebook and, yes, Google) would likely be unable to legally create apps for it. As such, it’d be an unwelcome change for most consumers.
The good news for Huawei owners is that — hey, at least Android Q is coming. And there’s a promise of future software updates, we just don’t know how things will play out. In my view, the most likely outcome is still some kind of deal between the U.S. and China — a series of licenses that allows Huawei to work with the necessary U.S. companies to keep its smartphone business going, while shutting out the company from vital American infrastructure.
With regards to Android, the timing of Huawei’s temporary license means it’ll be able to squeak out certified, final Q builds for the P30 series and other phones before it runs out of road. (Given Google’s regular partner release schedule, manufacturers should have final, official Q code around a month before it goes public sometime in August.) And this new sense of urgency might even result in quicker Q updates than expected for existing Huawei phones.
A Huawei spokesperson told Android Central that announcements on the specifics of future software updates are coming, but wasn’t able to provide any more detail at publication time.
