Android Play Store Tidbits – Blocking Unlocked/Uncertified/Rooted Devices, Graphics Drivers as an App

There’s been at least two or three notable stories about the Play Store this week. It started with Netflix not installing from the Google Play Store anymore on rooted device, with unclocked bootloader, or uncertified devices, and showing as “incompatible”. AndroidPolice contacted Netflix which answered:

With our latest 5.0 release, we now fully rely on the Widevine DRM provided by Google; therefore, many devices that are not Google-certified or have been altered will no longer work with our latest app and those users will no longer see the Netflix app in the Play Store.

So that means you need to  Google Widevine DRM in your device, which mean many Android TV boxes may stop to work with Netflix. You can check whether you device is certified by opening Google Play and click on settings, Scroll to the bottom and check Device Certification to see if it is Certified or Uncertified (H/T jon for the tip).

I tried this in my Chinese phone, and unsurprisingly it is “Uncertified”. AndroidPolice however successfully tested both Netflix 4.16 and Netflix 5.0.4 on an unlocked Galaxy S tab with Level 3 DRM and both worked. So the only drawback right now is that you can’t install Netflix from the Play Store, but it still works normally. Some boxes do not come with any DRM at all, which you can check with DRM info, and they may not work at all (TBC).

We’ve know learned this will not only affect Netflix, as developers will now be able to block installation of apps that fail “SafetyNet” as explained at Google I/O 2017:

Developers will be able to choose from 3 states shown in the top image:

  • not excluding devices based on SafetyNet
  • excluding those that don’t pass integrity
  • excluding the latter plus those that aren’t certified by Google.

That means any dev could potentially block their apps from showing and being directly installable in the Play Store on devices that are rooted and/or running a custom ROM, as well as on emulators and uncertified devices ….. This is exactly what many of you were afraid would happen after the Play Store app started surfacing a Device certification status.

This would mean it might become more complicated to install apps from the Google Play store on some devices, and we may have to start to side-load apps again, or use other app store. That’s provided they don’t start to stop apps running all together. The latter has been possible for year, as for example many mobile banking apps refuse to run on rooted phones.

I’ll end up with a better news, as starting with Android O it will be possible to update Graphics Drivers from the Play Store, just like you would update an app. Usually, a graphics driver update would require an OTA firmware update, or flash a new firmware image manually, and it’s quite possible this new feature has been made possible thanks to Project Treble.

Support CNX Software! Donate via PayPal or cryptocurrencies, become a Patron on Patreon, or buy review samples

Subscribe
Notify of
guest
10 Comments
oldest
newest
Paul M
Paul M
3 years ago

My phone, Xperia Z Ultra, has an unlocked bootloader but is unrooted – I had been trying out Magisk to see if I could have both root without breaking internet banking (Barclays, UK), but for some reason I got terrible battery drain.

Netflix still plays, but my phone is uncertified, and the Barclays Banking app (which is very good at detecting root) runs fine.

Paul M
Paul M
3 years ago

p.s. my phone has three G accounts on it, if I login to G play as one of the less used accounts and try and install Netflix, it refuses saying my device is incompatible.

KopiJahe
KopiJahe
3 years ago

If you have access to a custom recovery (such as TWRP), install magisk, and enable magisk hide on the apps like netflix and play store.

My device comes up as “certified” after doing this.

Chris
Chris
3 years ago

KopiJahe :
If you have access to a custom recovery (such as TWRP), install magisk, and enable magisk hide on the apps like netflix and play store.
My device comes up as “certified” after doing this.

As a previous commenter noted the ‘certified’ status seems to be related to whether it can detect if the bootloader is unlocked or not. There are ways to hide this via kernel mods but Magisk itself doesn’t hide it.

Mihai
3 years ago

I bypassed this by using Magisk Hide with LineageOS running on LG G Pad 8.3. When Netflix 5.0 update was released, my unofficial G Pad and my TV box Q10 Pro could not upgrade nor install Netflix anymore, also Netflix would not appear when searching. Before doing this make a backup in TWRP, the Rom on your device may not be compatible with Magisk. I replaced the standard LineageOS root with Magisk, I enabled Magisk Hide and then I checked in Magisk Hide all the Google apps (including Play Store and others, like Connectivity Services and Google Plus) + Netflix,… Read more »

Jon Smirl
3 years ago

The “certified” status is based on if the manufacturer has a Google Play License. A signature from the device is computed and sent back to Google. That signature is used to determine if the device has a GPS license. Programs like Magisk must be intercepting the OS level calls used to compute the signature and substituting in another device’s data. App makers can add a SafetyNet check to their app and then execute that check every 15 minutes if they choose. Netflix has not added run-time SafetyNet checks yet. You can read all about it here: https://developer.android.com/training/safetynet/attestation.html At some point… Read more »

Mihai
3 years ago

@Jon Smirl I want that implementation, to depend on hardware rather than software. Now it is not done like that, it is implemented inside the OS. As soon as you change OS (root your device and change to LineageOS, let’s say) that device will not be compatible anymore from DRM point of view. This is exactly why this approach will never be used. We will never get rid of DRM, sadly. And I did not say that Magisk is making a Widevine L3 device become a Widevine L1 (that is impossible). Magisk Hide does exactly what the name says: it… Read more »

Jon Smirl
3 years ago

@Mihai Complete lockdown is achieved by using a software and hardware combination. The necessary hardware is already in almost every phone. iPhone has it turned on, that is why it was so hard to get into the San Bernardino iPhone. Android is not locked down as hard as an iPhone is. But this could all change at anytime. The hardware is sitting there. It is Android fragmentation that blocks Google from implementing a hard lockdown, many of the OEMs have not built hard lockdown into their base software. Nothing stops Google from making hard lockdown an Android O requirement. Once… Read more »

Jon Smirl
3 years ago

Another note, this strong lock down is being done to protect banking credentials like Android Pay. If payment services are breached your entire bank account can be drained in seconds. Sometimes they ever overdraft it and you end up owing money. In the US these breaches are always refunded to the customer, but it can takes months of hassle to get a refund. Meanwhile you have no money. The content industry is utilizing this level of security now to lockdown their goods. This whole lockdown mess is only going to get worse over time. I wouldn’t mind it so much… Read more »

Advertisements