• GeneralSolved
  • 8y security updates on FairPhone 5, will the devs consider porting GrapheneOS?

The recently unveiled Fairphone 5 generates interest due to its impressive 8-year security update plan. This extended software support duration prompts the question: Could GrapheneOS be adapted for this model?

The Fairphone 5 boasts an exceptional 8-year software support pledge. This aligns seamlessly with GrapheneOS's dedication to long-term firmware and software maintenance. This congruence ensures prolonged access to security enhancements and fixes for users.

The Fairphone 5's values strongly resonate with GrapheneOS's prerequisites, making it a potential candidate for compatibility. Its emphasis on durability, hardware security, continuous backing, and community involvement closely mirrors the goals of GrapheneOS.

    Advertising products on our forum with marketing materials is inappropriate.

    Fairphone has never previously provided full security patches for anywhere close to their promised support. The Fairphone 4 doesn't currently receive proper security support but rather receives the Android Security Bulletin patches consistently 1-2 months late and many of the recommended patches (Pixel Update Bulletin) years late.

    Fairphone 4 does not include a secure element and does not provide many of the expected hardware security features. It also has a broken/incomplete implementation of verified boot and attestation.

      Good to see GOS always being consistent with their no compromise philosophy. Hopefully Fairphones will at some point have all the proper security features and updates in place since I'd much rather buy their phones over Pixels. But until then, I'll remain a happy GOS user on Google Phones.

      The track record of Fairphones regarding security and security updates is really quite bad. In their current state, both the Fairphone 4 and 5 are clearly unsuitable for consideration for GrapheneOS support. Unfortunately, people still fall for the company's deceptive marketing and celebrate them for delivering incomplete Android updates years late.

        I would love to see some real conversation between GOS devs and Fairphone creators, with all the issues with the hardware listed, and then explained from both sides of the story - maybe there is impossible to create an independent hardware platform that conforms to GOS standards at the moment? I would love to KNOW, instead of assuming or guessing.

          mateusz The aim of fairephone isn't security, it's to offer many years of partial updates and to make repairs possible for everyone, although a pixel 6a isn't that hard to repair. There are plenty of phone models to choose from at Google.

          21 days later

          paolovador according to this guy the Fairphone 5 correctly use non-test keys for AVB contrary to the 3 and 4.

          That's good news. But what about the other issues GrapheneOS identified? Fixing one of four(?) serious issues would leave three(?) serious issues. Using non-junk signing keys is likely the easiest fix (the others could be 100X harder).

          Having a second reasonably-secure platform for GrapheneOS would be great. But since none of the other platforms (that I'm aware of) have had just one flaw, fixing just one flaw wouldn't fix any platform (that I'm aware of).

            If they can whistle up a Titan chip, or equivalent, as a starter ……

            de0u I know that they definitively have no secure element either in this one.
            Regarding the other issues I cannot check

            a month later

            @"hellraizzer"#p48834 honestly I think we won't know until they do support it, if they do it at all, which I could bet they probably won't. Fairphone doesn't have a good track record regarding security

            de0u yeah, I quite like their "modular-sustainable" philosophy, so if they at some point decided to have proper security and thus were able to support properly running GrapheneOS, i'd probably choose a Fairphone rather than a Pixel. I'd imagine (though I was never involved in negotiating such deals) that it could be beneficial in terms increasing user numbers for both them and GOS.

            alex The track record of Fairphones regarding security and security updates is really quite bad.

            Where can I confirm this situation independently? Any links to credible sources?

              My thought is “If it isn’t a Pixel, the answer is no.”

              An equivalent in hardware may or may not be considered.

              ve3jlg Where can I confirm this situation independently? Any links to credible sources?

              Can you provide further details about what you're looking for in terms of credibility?

              For example, if "credible source" means "written by Fairphone", then I think it's unlikely that an official Fairphone person would write "our security is inadequate".

              GrapheneOS wrote "Fairphone 4 does not include a secure element". Is there a credible source that says the Fairphone 5 has a secure element? I just looked at a Qualcomm web page about the QCM6490 and while there is a box labeled "Security" that's not useful. The bottom of the page says "To access more QCM6490 resources, you need to be a member of a verified company", which is not particularly encouraging.

              GrapheneOS also wrote "The Fairphone 4 doesn't currently receive proper security support but rather receives the Android Security Bulletin patches consistently 1-2 months late and many of the recommended patches (Pixel Update Bulletin) years late."

              That statement could be verified, or disproven, by examining Fairphone release notes and/or commit logs. Though I think it would be great to have GrapheneOS running on more than one hardware platform, I personally can't estimate when I might have time to analyze Fairphone commit logs -- or whether I would count as a credible source.

              I looked briefly at the Fairphone web site and saw the word "security" a bunch of times, but I didn't see any details. Personally I consider the specific claims made by GrapheneOS to be at least fairly credible, and it's not clear which other sources discuss Fairphone security in any detail.

              Fairphone seems to be "introducing" Android 13 in October 2023, and touting a security patch level of August 5:

              https://support.fairphone.com/hc/en-us/articles/4405858220945-Fairphone-4-OS-Release-Notes

              It's consistently behind in providing updates - if the vendor cannot properly support their device in a timely manner, that's firmware updates that an alternative OS like GrapheneOS cannot ship, the OEM has to ship those. That alone disqualifies a device like that from being considered, aside from the fact that they lack the actual hardware security features which GrapheneOS utilizes and considers necessary.

              "Years of support" are no good if it means providing some updates, sometimes, after significant delays. Support should mean timely support. If GrapheneOS said it would support a device for its entire lifetime, but delivered patches months late, would you consider that acceptable? My guess would be that if you're using GrapheneOS, you care about receiving the latest security patches as a minimum, so the answer to that would be no, so why should Fairphone get a pass?

              It is unfortunate that people fall for their marketing and think that the device is somehow a good or viable choice, or that it's somehow special and provides something that other devices don't.

              Even from a repairability and sustainability perspective, I would argue that a Pixel 8 that will be receiving 7 years of proper and timely updates is a better bet. Google also seems to have committed to providing parts like screens, cameras and batteries for the entirety of the device's lifetime through ifixit. Could it be easier to replace the battery in the Pixels? Absolutely, and I would love to see OEMs move back to that, but again, that doesn't make a phone like the Fairphone a good choice until it can provide the bare minimum.

                4 months later

                I found this thread's discussions very enlightening & wanted to say thanks.

                matchboxbananasynergy Pixels should get user replaceable batteries by 2027 if Google want to be able to sell Pixels in the EU if this reporting (& others like it) is accurate:

                https://www.androidcentral.com/phones/eu-mandates-replaceable-batteries-2027

                I have been testing for my family off & on for multiple years multiple phone OS's including GrapheneOS, CalyxOS, EOS, IodeOS, & LineageOS (loaded all of them and done some testing with one of my kids and I on each).

                For awhile we have standardized our family daily drivers on either GrapheneOS or CalyxOS (Pixels or Fairphones).

                For awhile I was leaning toward standardizing on Fairphones running CalyxOS for the following reasons (off the top of my head):

                1) CalyxOS HAD better google apps support via MicroG BUT now GrapheneOS appears to have taken the lead via sandboxed Google Play;

                2) Only Fairphone supported Video Out BUT now reportedly Pixel 8's also do (if you replace stock OS which disables it);

                3) Fairphone's self repairability & parts availability was far superior but Google is getting better here (still behind but better);

                4) Fairphone's self battery replacement IS way ahead of Google Pixels but that may be forcibly fixed soon...

                5) Lack of Android Auto was a pain on both (so neutral on the decision) but now GrapheneOS supports it and that is great;

                For me, for a long time, the scales were fairly close (pros/cons on both sides) which is why we ran both as daily drivers...
                if I had to give the nod to one or the other awhile back I would lean toward Fairphones w/ Calyx though GrapheneOS & Pixels kept getting better on the areas that I cared about...

                For me the scales tipped into GrapheneOS's favor when Sandboxed-GooglePlay + Android-Auto started working & when I heard Pixel 8's now can do Video Out with GrapheneOS...

                Hearing of iFixIt related improvements (repairability & parts) for Pixels is also heartening (especially if Pixel batteries are soon going to be easily user replaceable).

                Factoring in this thread's security discussion helps reinforce where I was already leaning as it helps understand while the marketing on the Fairphone 5 is not the Panacea it seems at first...

                Thanks again for the great discussions.

                  nodoze
                  Unless Pixel 2027 fixes the worst pos fingerprint scanner ever that makes me want to smash this phone through a wall, google wouldnt be able to pay me to use this turd. On top of that almost 2 year old bugs on their "flagship" phones (stretched wallpapers on secomdary users, apps that get stuck in app switcher etc). I'm going to use this 7 Pro until GrapheneOS supports it and if there's no good pixel by then or alt to pixel that supports GOS then unfortunately I am back to iOS. Imagine if GOS had the self delete option after 5-10 failed fingerpirnt reads like iOS. Your phone would be wiped daily. And no it's not just my.phone i had it RMAd.and my friend with GOS has the same problrms. GOS is awesome but f google.for halfassing everything they try.