Quietly and without any fanfare, Google disabled the ability for Android Pay to make payments on phones with unlocked bootloaders; landing in line with its previously held policy of not allowing rooted phones to access the payment system. It's frustrating to some, but it's the right move and it's in line with Google's vision for the security of its platform and services.
Android, as built by Google and not modified or having native security features disabled, is really secure. Security chief Adrian Ludwig speculates that one day we'll see U.S. presidents use Android (thanks, Obama) because it's safe and you have complete control over where and how your data is shared. But all that goes away once you start changing settings, enable USB communication or unlock your bootloader.
An unlocked bootloader is not secure, and when money is involved security is paramount.
It can be frustrating for a power user or enthusiast, but it's time we realize that Android is not built just for us. It's built for everyone — including people who may have unlocked their bootloader without understanding the implications of it all. These are the people who need to be protected from something on their phone that might be able to get access to their bank account or credit card information.
This doesn't just protect the person with the unlocked bootloader, either. When a bank or card issuer has to eat the cost of a fraudulent charge, it doesn't happily consider it a fact of doing business — it wants to limit these instances as much as possible. Interest rates and service fees are how the banks and card issuers make money from us, and raising one or the other (or both) is what happens when the expenditures column get's bigger due to fraudulent charges from insecure systems. In some cases, the banks and card issuers just skip payment methods like Android Pay altogether before they get to that point. By keeping Android Pay from running on potentially compromised phones, it helps Google get more companies on board. For example, Chase took forever to join Android Pay — and there are plenty of other banks yet to join. Not doing everything possible to make the service secure would be a great way to scare them off and keep it from happening.
Thankfully, you don't have to unlock your bootloader to manually update your phone since you can sideload update packages if you're impatient. Maybe one day developers will make use of Android's native app data backup service so we won't have to use Titanium or something similar to keep our app data in place. In the meantime, if we unlock the bootloader we lose Android Pay. It's that simple.
Google's not trying to stop anyone from unlocking their phone's bootloader, nor is it trying to turn Android into something that's not "hacker friendly" (the good kind of hacker). We can still unlock the bootloader to root or to run a different version of Android or just because we want to, but we can't use Android Pay — a service owned by Google and never intended to be open — if we do it.