Google Play Services: What are they, and how do they keep you secure?

Play Services is constantly updating, keeping your phone secure and Google apps ticking along. But there's much more to it than just dry, technical detail.

Depending on how much of a phone nerd you are, you may never have even thought about what Google Play Services actually is. You could be forgiven for dismissing it as a dry and technical part of Android, but in reality, it's a crucially important part of the way the OS works. Essentially, it's what puts the Google into Android, influencing everything from security to Google integration with the apps you use every day.

Google Play Services was announced in 2014 as a way to introduce new features to Android phones in a way that didn't require a firmware update. That's because back in 2014, before the days of monthly security patches, even the best Android phones were often left waiting months for crucial fixes. And forcing users to wait for a full firmware update to protect against malicious apps or tweak the way Google features worked was less than ideal.

So there are benefits for everyone. Developers get important APIs that work across the vast majority of the active Android user base. (At the time of writing, every device since 5.0 Lollipop supports the "current" Google Play Services version.) Users, in turn, benefit from this through new features and security fixes, even if they're not running the latest OS version. And for Google, Play Services acts as insurance against the rise of "forked" Android, as we've seen recently through the difficulties faced by Huawei.

More than just an app

Google Play Services is essentially just an app, controlled by Google, which updates automatically in the background on every Google-certified Android phone. There's not really any user-facing part of the app unless you count the "Google Settings" part of the Settings app. But Play Services' various tendrils are spread throughout Android, especially in newer versions of the OS.

As a system-level "app," Play Services can run with elevated permissions and supersede anything and everything in the OS if it needs to. Google has already expanded Play Services' capabilities extensively since it was introduced in 2014, and the company can easily modify it to do even more in the future.

To put it simply: if an Android app interacts with a Google service, chances are it's doing so through Google Play Services.

For apps, Play Services acts as a gateway to Google services on your phone.

The Google Play Services client library gives developers APIs to make apps work with Google services on devices with the Play Services app installed. This includes Cloud Messaging, Drive, Location, Play Games, Wear OS and Google Pay, to name just a few. And because the Play Services app updates automatically in the background and works on all versions of Android going back to Lollipop, Google can roll out changes, improvements, and new features in Android's integration with these services without a firmware update. That means the carriers and device manufacturers aren't in the loop at all, so Google is in complete control of the rollout.

While the Android firmware update situation has improved considerably since Play Services launched in 2014, a Play Services update can still be pushed out much, much quicker than a traditional over-the-air update. As a result, Play Services lets Google move at pace when introducing new features and services for Android.

A great example of this is the Covid-19 Exposure Notification System, developed in cooperation with Apple. On the Android side, the ENS was added in the background as a Play Services update to every Android phone running firmware from 2014 or later. And when a glitch with the system occurred earlier in 2021, Google could fix it almost immediately across the entire ecosystem.

Without Google Play Services, rolling out anything like the Covid-19 ENS would likely have required herculean effort from manufacturers and carriers to develop and certify updated firmware for every Android phone in the world.

Google couldn't have built its Exposure Notification System without Play Services.

It's also good for developers and users for many other reasons, most of which are pretty obvious once you think about it. Rather than devs having to worry about targeting each of these Google features differently across OS versions, the heavy lifting is done by Play Services. What's more, users aren't left in the lurch if they're not running the latest version of Android. (And even in 2021, there are still a lot of users not running the latest version of Android.)

Through Play Services, many things thought to be Android features — like Google location services or Google Play Games — have been decoupled from the core OS. That's another reason why directly comparing iOS and Android version distribution doesn't tell the whole story. A very significant part of the Google Android experience is kept up-to-date, automatically, in the background.

Google has continued this push towards more modularity in Android in the years since Play Services first arrived. Most notably in Android 10, "Project Mainline," a.k.a. Google Play System Updates, allowed parts of the OS itself, like Wi-Fi, tethering, and neural networking components, to be updated by Google without requiring a full firmware update. In Android 12, Google has expanded Mainline to include the Android runtime itself, the part that runs your apps. That of all makes Android much more secure, even if your phone isn't running the latest platform update.

It's true that some changes, fixes, and improvements still require a firmware update. But in today's Android ecosystem, there's a ton of really important stuff that no longer does.

A firewall against malware

Google Play Services also has an enormous role to play in securing older Android phones against bad apps, which generally come from app stores other than the Google Play Store.

The main weapon in Google's arsenal is Google Play Protect, which is effectively Android's built-in virus scanner. When you're installing an app from a third-party location, it's scanned by this constantly updated feature to identify malicious tendencies, and Play Protect will also periodically scan your phone in the background. This is a big part of why scary-sounding Android security bugs like 2015's "Fake ID" never end up taking off. Thanks to Play Services, the vast majority of Android devices are protected, and offending apps are nipped in the bud almost immediately.

You could say this is a stopgap solution, since the underlying vulnerability isn't fixed until a firmware update or Project Mainline update is rolled out. But either way, the malware's not getting through, and users are protected — even if they're running an older Android security patch level.

Google's Android insurance policy

Google Play Services is packed with proprietary Google stuff, and as such, isn't included in the Android Open-Source Project (AOSP). Like other Google apps, it's closed-source. Any "fork" of open-source Android — a version built off AOSP without Google's involvement — is on its own in terms of having to recreate what Play Services provides.

Nothing is stopping a manufacturer wanting to build an Android device without getting GMS (Google Mobile Services) approval from building their own service layer instead of Play Services. For example, Huawei has done exactly that with its Huawei Mobile Services layer. But such an endeavor represents a huge technical challenge, so for most manufacturers who aren't legally compelled to not work with Google, it's easier to just license Play Services along with the rest of GMS.

Android may be open source, but Play Services definitely isn't.

Just as Play Services is a solution to some of Android's inherent weaknesses — the slow pace of firmware updates due to the number of moving parts involved, and the app development and security implications of this — the lack of Play Services in Android forks creates significant engineering work for anyone serious about taking Android away from Google. In effect, it's an insurance policy that guarantees Google long-term control of Android — at least everywhere outside of mainland China.

That's not to say this is necessarily part of any diabolical Google master plan, yet this is the situation that exists. An operating system like Android can only gobble up market share with the help of device (and carrier) diversity. Diversity inevitably leads to fragmentation, and to combat that, you need a service and security layer that exists outside the OS.

That's the challenge that any convincing fork of Android needs to solve, and it's not an easy one. In the meantime, those in the Google Android world have Play Services to thank for enabling the platform's growth and helping keep phones secure.


by Alex Dobie