The genius of Google Play Services: Tackling Android fragmentation, malware and forking in one fell swoop

If you pay close enough attention to these things, you've probably seen Google Play Services updating from time to time on your Android devices. If you follow the more technical side of Android, you'll know it was announced a couple of years ago to introduce new APIs and features in a way that doesn't require a firmware update. You could be forgiven for dismissing it as a dry and technical part of the OS, but in reality it's a crucially important part of the way modern Android works.

Developers get important APIs which work across the vast majority of the active Android user base. Users in turn benefit from this, through new features and security fixes even if they're not running the latest OS version. And for Google, Play Services acts as insurance against the rise of "forked" Android.

Read on to see how Google Play Services is a formidable weapon against some of Android's (and Google's) greatest foes, and how any discussion of Android security or "fragmentation" is flawed without an understanding of it.

A Play Services primer

First things first — what is Google Play Services? From the user's perspective it's an app, controlled by Google which updates automatically in the background through the Google Play Store. There's not really any user-facing part of the app, unless you count the "Google Settings" icon on phones running Lollipop and earlier versions. But Play Services' various tendrils are spread throughout Android, especially in newer versions of the OS.

As a system-level "app," Play Services can run with elevated permissions and supersede anything and everything in the OS if it needs to, so Google can easily modify it do more in the future.

Play Services is the gatekeeper for Google services on your Android device.

To put it simply: if an Android app interacts with a Google service, chances are it's doing so through Google Play Services.

During the Google I/O 2014 keynote, Google VP Sundar Pichai said that new versions of Play Services were rolling out every six weeks, adding that 93 percent of the active Android install base was running the latest version at the time.

Sundar Pichai at Google IO

Tools for developers

The Google Play Services client library gives developers APIs to make apps work with Google services on devices with the Play Services app installed. This includes Cloud Messaging, Drive, Location, Play Games, Android Wear and Google Fit, to name just a few. And because the Play Services app updates automatically in the background, and works on all versions of Android back to 2.3 Gingerbread, Google can roll out changes, improvements and new features in Android's integration with these services without a firmware update.

That's a pretty big deal in a world where Jelly Bean and KitKat — Android 4.1-4.4 — continue to dominate the active install base, with Lollipop making up just 12.4 percent of active installs at the last count. (Contrast that against the 93 percent figure given by Sundar Pichai at last year's I/O.) Because Play Services exists, a lot more people have access to up-to-date versions of features like Play Games and Android Wear than would otherwise be the case. It's this which allows for the insane pace of Android even as many OEMs continue to drag their feet on platform upgrades.

This is good for developers and users for a whole bunch of reasons, most of which are obvious. Rather than devs having to worry about targeting each of these Google features differently across OS versions, the heavy lifting is done by Play Services. What's more, users aren't left in the lurch if they're not running the latest version of Android.

Chrome Android statue

Features and security for users

Through Play Services, many things thought to be Android features — like Lollipop's Smart Lock, Google location services and Play Games — have been decoupled from the core OS. That's another reason why directly comparing iOS and Android version distribution doesn't tell the whole story. A very significant part of the Google Android experience is kept up-to-date, automatically, in the background.

That's aside from the fact that most of Google's own Android apps can be updated independently through Google Play — a collection which, as of Android 5.0 also includes the WebView component used to render web pages inside apps. The same is true of many manufacturer-bundled apps — HTC, for instance, now pushes out updates to many of its Sense apps through the Play Store.

It's true that some changes, fixes and improvements still require a firmware update. But in the Android ecosystem of 2015, there's a lot of really important stuff that no longer does.

The role of Play Services in Android security is so often ignored by the doomsayers.

By the same token, it's inaccurate to say that being on an older version of Android leaves users users wide open to malware. Google Play Services has an enormous role to play in securing older Android phones against bad apps, which generally come from app stores other than Google Play.

The main weapon in Google's arsenal is the "verify apps" feature, which is turned on by default in Android 4.2 and above. When you're installing an app from a third-party location, it's scanned by this constantly-updated feature to identify malicious tendencies. This is exactly what happened when the Android "fake ID" security scare happened last year, and thanks to Play Services the vast majority of Android devices were never exposed to this. (The Google Play Store was updated in a similar way to block apps using this particular exploit.)

You might think of this as a stopgap solution, and in a way it is. But as we pointed out at the time, it's a pretty effective one. Either way, the malware's not getting through, and users are protected — even if they're on an old version of Android. This is the point that Microsoft misses when it takes a shot at Google's record on mobile security.

MORE: Android security Q&A with Google's Adrian Ludwig

Fork

Insurance for Google

Google Play Services is packed with proprietary Google stuff, and as such isn't included in the Android Open-Source Project (AOSP). Like other Google apps, it's closed-source. Any "fork" of open-source Android released without Google's bits is on its own.

The lack of Play Services in Android forks creates a ton of extra work for anyone serious about taking Android away from Google.

There's nothing stopping a manufacturer wanting to build an Android device without getting GMS (Google Mobile Services) approval from building their own service layer atop the open-source OS. But so far the most important features of Play Services haven't been recreated by these players, even those who talk openly about commandeering Android and "putting a bullet through Google's head."

Just as Play Services is a solution to some of Android's inherent weaknesses — the slow pace of firmware updates, due to the number of moving parts involved, and the app development and security implications of this — the lack of Play Services in Android forks creates significant engineering work for anyone serious about taking Android away from Google.

MORE: What the fork is a 'fork?'

We're not suggesting this is part of some diabolical Google master plan, yet this is the situation that exists. An operating system like Android can only gobble up market share with the help of device (and carrier) diversity. Diversity inevitably leads to fragmentation, and to combat that you need a service and security layer that exists outside the OS.

That's the challenge that any convincing fork of Android needs to solve. In the meantime, those in the Google Android world have Play Services to thank for enabling the growth of the platform, and helping keep devices secure.

Alex Dobie
Executive Editor

Alex was with Android Central for over a decade, producing written and video content for the site, and served as global Executive Editor from 2016 to 2022.