■HUAWEIは本当に危険なのか■ Part.12

953 ：SIM無しさん ：2019/10/03(木) 00:01:02.72 ID:5UDjUtle0.net

John Wu氏のレポート

Huawei’s Undocumented APIs — A Backdoor to Reinstall Google Services
https://medium.com/@topjohnwu/huaweis-undocumented-apis-a-backdoor-to-reinstall-google-services-c3a5dd71a7cd

At this point, it is pretty obvious that Huawei is well aware of this “LZPlay” app, and
explicitly allows its existence. The developer of this app has to somehow be aware
of these undocumented APIs, sign the legal agreements, go through several stages
of reviews, and eventually have the app signed by Huawei.
The sole purpose of the app is to install Google Services on a non licensed device, and
it sounds very sketchy to me, but I’m no lawyer so I have absolutely no idea of its legality.

But even if it is legal, this backdoor should never exist in the first place from a security standpoint.
There is a reason why system apps are allowed to have additional privileges: they exist on a
cryptographically verified read-only partition. Despite the fact that the certificate to escalate a
user app to system app is gate-kept by a trusted(?) party, Huawei, as long as things are
stored on a writable partition (userdata), it is susceptible to malicious tampering, and
should not be treated the same.


うーん真っ黒だなこれ