• GeneralSolved
  • 8y security updates on FairPhone 5, will the devs consider porting GrapheneOS?

mateusz The aim of fairephone isn't security, it's to offer many years of partial updates and to make repairs possible for everyone, although a pixel 6a isn't that hard to repair. There are plenty of phone models to choose from at Google.

21 days later

paolovador according to this guy the Fairphone 5 correctly use non-test keys for AVB contrary to the 3 and 4.

That's good news. But what about the other issues GrapheneOS identified? Fixing one of four(?) serious issues would leave three(?) serious issues. Using non-junk signing keys is likely the easiest fix (the others could be 100X harder).

Having a second reasonably-secure platform for GrapheneOS would be great. But since none of the other platforms (that I'm aware of) have had just one flaw, fixing just one flaw wouldn't fix any platform (that I'm aware of).

    If they can whistle up a Titan chip, or equivalent, as a starter ……

    de0u I know that they definitively have no secure element either in this one.
    Regarding the other issues I cannot check

    a month later

    @"hellraizzer"#p48834 honestly I think we won't know until they do support it, if they do it at all, which I could bet they probably won't. Fairphone doesn't have a good track record regarding security

    de0u yeah, I quite like their "modular-sustainable" philosophy, so if they at some point decided to have proper security and thus were able to support properly running GrapheneOS, i'd probably choose a Fairphone rather than a Pixel. I'd imagine (though I was never involved in negotiating such deals) that it could be beneficial in terms increasing user numbers for both them and GOS.

    alex The track record of Fairphones regarding security and security updates is really quite bad.

    Where can I confirm this situation independently? Any links to credible sources?

      My thought is “If it isn’t a Pixel, the answer is no.”

      An equivalent in hardware may or may not be considered.

      ve3jlg Where can I confirm this situation independently? Any links to credible sources?

      Can you provide further details about what you're looking for in terms of credibility?

      For example, if "credible source" means "written by Fairphone", then I think it's unlikely that an official Fairphone person would write "our security is inadequate".

      GrapheneOS wrote "Fairphone 4 does not include a secure element". Is there a credible source that says the Fairphone 5 has a secure element? I just looked at a Qualcomm web page about the QCM6490 and while there is a box labeled "Security" that's not useful. The bottom of the page says "To access more QCM6490 resources, you need to be a member of a verified company", which is not particularly encouraging.

      GrapheneOS also wrote "The Fairphone 4 doesn't currently receive proper security support but rather receives the Android Security Bulletin patches consistently 1-2 months late and many of the recommended patches (Pixel Update Bulletin) years late."

      That statement could be verified, or disproven, by examining Fairphone release notes and/or commit logs. Though I think it would be great to have GrapheneOS running on more than one hardware platform, I personally can't estimate when I might have time to analyze Fairphone commit logs -- or whether I would count as a credible source.

      I looked briefly at the Fairphone web site and saw the word "security" a bunch of times, but I didn't see any details. Personally I consider the specific claims made by GrapheneOS to be at least fairly credible, and it's not clear which other sources discuss Fairphone security in any detail.

      Fairphone seems to be "introducing" Android 13 in October 2023, and touting a security patch level of August 5:

      https://support.fairphone.com/hc/en-us/articles/4405858220945-Fairphone-4-OS-Release-Notes

      It's consistently behind in providing updates - if the vendor cannot properly support their device in a timely manner, that's firmware updates that an alternative OS like GrapheneOS cannot ship, the OEM has to ship those. That alone disqualifies a device like that from being considered, aside from the fact that they lack the actual hardware security features which GrapheneOS utilizes and considers necessary.

      "Years of support" are no good if it means providing some updates, sometimes, after significant delays. Support should mean timely support. If GrapheneOS said it would support a device for its entire lifetime, but delivered patches months late, would you consider that acceptable? My guess would be that if you're using GrapheneOS, you care about receiving the latest security patches as a minimum, so the answer to that would be no, so why should Fairphone get a pass?

      It is unfortunate that people fall for their marketing and think that the device is somehow a good or viable choice, or that it's somehow special and provides something that other devices don't.

      Even from a repairability and sustainability perspective, I would argue that a Pixel 8 that will be receiving 7 years of proper and timely updates is a better bet. Google also seems to have committed to providing parts like screens, cameras and batteries for the entirety of the device's lifetime through ifixit. Could it be easier to replace the battery in the Pixels? Absolutely, and I would love to see OEMs move back to that, but again, that doesn't make a phone like the Fairphone a good choice until it can provide the bare minimum.

        4 months later

        I found this thread's discussions very enlightening & wanted to say thanks.

        matchboxbananasynergy Pixels should get user replaceable batteries by 2027 if Google want to be able to sell Pixels in the EU if this reporting (& others like it) is accurate:

        https://www.androidcentral.com/phones/eu-mandates-replaceable-batteries-2027

        I have been testing for my family off & on for multiple years multiple phone OS's including GrapheneOS, CalyxOS, EOS, IodeOS, & LineageOS (loaded all of them and done some testing with one of my kids and I on each).

        For awhile we have standardized our family daily drivers on either GrapheneOS or CalyxOS (Pixels or Fairphones).

        For awhile I was leaning toward standardizing on Fairphones running CalyxOS for the following reasons (off the top of my head):

        1) CalyxOS HAD better google apps support via MicroG BUT now GrapheneOS appears to have taken the lead via sandboxed Google Play;

        2) Only Fairphone supported Video Out BUT now reportedly Pixel 8's also do (if you replace stock OS which disables it);

        3) Fairphone's self repairability & parts availability was far superior but Google is getting better here (still behind but better);

        4) Fairphone's self battery replacement IS way ahead of Google Pixels but that may be forcibly fixed soon...

        5) Lack of Android Auto was a pain on both (so neutral on the decision) but now GrapheneOS supports it and that is great;

        For me, for a long time, the scales were fairly close (pros/cons on both sides) which is why we ran both as daily drivers...
        if I had to give the nod to one or the other awhile back I would lean toward Fairphones w/ Calyx though GrapheneOS & Pixels kept getting better on the areas that I cared about...

        For me the scales tipped into GrapheneOS's favor when Sandboxed-GooglePlay + Android-Auto started working & when I heard Pixel 8's now can do Video Out with GrapheneOS...

        Hearing of iFixIt related improvements (repairability & parts) for Pixels is also heartening (especially if Pixel batteries are soon going to be easily user replaceable).

        Factoring in this thread's security discussion helps reinforce where I was already leaning as it helps understand while the marketing on the Fairphone 5 is not the Panacea it seems at first...

        Thanks again for the great discussions.

          nodoze
          Unless Pixel 2027 fixes the worst pos fingerprint scanner ever that makes me want to smash this phone through a wall, google wouldnt be able to pay me to use this turd. On top of that almost 2 year old bugs on their "flagship" phones (stretched wallpapers on secomdary users, apps that get stuck in app switcher etc). I'm going to use this 7 Pro until GrapheneOS supports it and if there's no good pixel by then or alt to pixel that supports GOS then unfortunately I am back to iOS. Imagine if GOS had the self delete option after 5-10 failed fingerpirnt reads like iOS. Your phone would be wiped daily. And no it's not just my.phone i had it RMAd.and my friend with GOS has the same problrms. GOS is awesome but f google.for halfassing everything they try.

            Imagine if GOS had the self delete option after 5-10 failed fingerpirnt reads like iOS

            That's not how it works on iOS...

            It sounds like you're using a screen protector interfering with fingerprint.

            @nodoze GrapheneOS has had sandboxed Google Play since 2021. CalyxOS is a blatantly unsafe choice. You're much better off using an iPhone than a Fairphone or CalyxOS on any device. Providing proper privacy/security patches and not misleading users about privacy/security with cover ups and false marketing is the bare minimum.

            GrapheneOS and CalyxOS are very different. GrapheneOS is a hardened OS with substantial privacy/security improvements:

            https://grapheneos.org/features

            CalyxOS is not a hardened OS. It greatly reduces security vs. AOSP via added attack surface, rolled back security and slow patches.

            Compatibility with Android apps on GrapheneOS is also much different. GrapheneOS provides our sandboxed Google Play compatibility layer:

            https://grapheneos.org/usage#sandboxed-google-play

            Can run the vast majority of Play Store apps on GrapheneOS, but not CalyxOS with the problematic microG approach.

            https://eylenburg.github.io/android_comparison.htm is a third party comparison between different alternate mobile operating systems. It could include many more privacy/security features but it's a good starting point.

            https://privsec.dev/posts/android/choosing-your-android-based-operating-system/ is an article with more long form comparisons between OSes.

              gosrox Very sorry to hear of your pain. I have had no issues on my Pixel 7 running GOS as my daily driver for many months now. My Pixel 8 Pro recently arrived but I have not had time to install GOS and configuring things to switch from the Pixel 7 to the Pixel 8 Pro but, if I have fingerprint issues on the 8 Pro I will try to remember to circle back. My kids are running GOS on Pixel 6A & 7A with no major issues reported & my memory was/is that I tested finger print access on them fine before giving them the phones.