Google is apparently stepping up its efforts to crack down on illicit distribution of Google’s Android apps. According to XDA Developers, Google logins on unlicensed devices will now fail at setup, and a warning message will pop up stating “Device is not certified by Google.” This warning screen has appeared on and off in the past during a test phase, but XDA (and user reports) indicate it is now headed for a wider rollout.
While the basic operating system code contained in the Android Open Source Project is free and open source, Google’s apps that run on top of Android (like the Play Store, Gmail, Google Maps, etc.) and many others are not free. Google licenses these apps to device makers under a number of terms designed to give Google control over how the OS is used. Google’s collection of default Android apps must all be bundled together, there are placement and default service requirements, and devices must pass an ever-growing list of compatibility requirements to ensure app compatibility.
Android distributions that don’t pass Google’s compatibility requirements aren’t allowed to be called “Android” (which is a registered trademark of Google), so they are Android forks. The most high-profile example of an Android fork is Amazon’s Kindle Fire line of products, but most devices that ship in China (where Google doesn’t do much business) fall under the umbrella of an “Android fork,” too.
While Google’s Android apps are only properly available as a pre-loaded app (or through the pre-loaded Play Store), they are openly distributed on forums, custom ROM sites, third-party app stores, and other places online. When a non-compatible device seller (or a user) loads these on a device, they can potentially trigger Google’s new message at login.
The message pops up when you try to log in to Google’s services, which usually happens during the device setup. Users who purchased the device are warned that “the device manufacturer has preloaded Google apps and services without certification from Google,” and users aren’t given many options other than to complain to the manufacturer. At this point, logging in to Google services is blocked, and non-tech-savvy users will have to live without the Google apps.
Users of custom Android ROMs—which wipe out the stock software and load a modified version of Android—will start seeing this message, too. Thankfully at the bottom of the message these folks are given an escape hatch: head to g.co/AndroidDeviceRegistration and enter your Android ID, which will register the device to your Google account. This isn’t the easiest thing in the world to do. An Android ID is 64-bit hex string set at first boot and regenerated every time a factory reset is performed. The only official way to view your Android ID is to plug in your device to a computer, install the Android developer tools, and run a command. While there are some apps that will show your Android ID, it’s also tough to install an app without first logging in to the app store. For seasoned ROM users, none of this is a big deal. But the process is definitely harder than it could be, almost like it’s designed to keep out the general public.
We’ve actually been unknowing victims of illicit Google app distribution here at Ars before. We once imported a Xiaomi Redmi 3 smartphone from China to review, and, upon booting it up, we were very surprised to find it came with the Google apps pre-installed. As a device from China, this should not have happened. After we posted the review, Xiaomi contacted us with some very scary news: “The Redmi 3 should not come with Google Play pre-installed because it is a China-only product.” Xiaomi told Ars. “It is very likely that the Play Store you saw was preinstalled by the importer/seller. This is a very common practice with the unauthorised importers.”
This would mean the reseller opened our phone, unlocked the bootloader, flashed on a new ROM with Google Play, re-locked the bootloader, and stuck the phone back in the box. There was no obvious evidence that our device had been tampered with, and, while hopefully the seller only installed Google apps, they could have just as easily loaded malware onto the device. A message like this during setup would have been a big red flag that something was wrong.