My thought is “If it isn’t a Pixel, the answer is no.”
An equivalent in hardware may or may not be considered.
My thought is “If it isn’t a Pixel, the answer is no.”
An equivalent in hardware may or may not be considered.
ve3jlg Where can I confirm this situation independently? Any links to credible sources?
Can you provide further details about what you're looking for in terms of credibility?
For example, if "credible source" means "written by Fairphone", then I think it's unlikely that an official Fairphone person would write "our security is inadequate".
GrapheneOS wrote "Fairphone 4 does not include a secure element". Is there a credible source that says the Fairphone 5 has a secure element? I just looked at a Qualcomm web page about the QCM6490 and while there is a box labeled "Security" that's not useful. The bottom of the page says "To access more QCM6490 resources, you need to be a member of a verified company", which is not particularly encouraging.
GrapheneOS also wrote "The Fairphone 4 doesn't currently receive proper security support but rather receives the Android Security Bulletin patches consistently 1-2 months late and many of the recommended patches (Pixel Update Bulletin) years late."
That statement could be verified, or disproven, by examining Fairphone release notes and/or commit logs. Though I think it would be great to have GrapheneOS running on more than one hardware platform, I personally can't estimate when I might have time to analyze Fairphone commit logs -- or whether I would count as a credible source.
I looked briefly at the Fairphone web site and saw the word "security" a bunch of times, but I didn't see any details. Personally I consider the specific claims made by GrapheneOS to be at least fairly credible, and it's not clear which other sources discuss Fairphone security in any detail.
Fairphone seems to be "introducing" Android 13 in October 2023, and touting a security patch level of August 5:
https://support.fairphone.com/hc/en-us/articles/4405858220945-Fairphone-4-OS-Release-Notes
It's consistently behind in providing updates - if the vendor cannot properly support their device in a timely manner, that's firmware updates that an alternative OS like GrapheneOS cannot ship, the OEM has to ship those. That alone disqualifies a device like that from being considered, aside from the fact that they lack the actual hardware security features which GrapheneOS utilizes and considers necessary.
"Years of support" are no good if it means providing some updates, sometimes, after significant delays. Support should mean timely support. If GrapheneOS said it would support a device for its entire lifetime, but delivered patches months late, would you consider that acceptable? My guess would be that if you're using GrapheneOS, you care about receiving the latest security patches as a minimum, so the answer to that would be no, so why should Fairphone get a pass?
It is unfortunate that people fall for their marketing and think that the device is somehow a good or viable choice, or that it's somehow special and provides something that other devices don't.
Even from a repairability and sustainability perspective, I would argue that a Pixel 8 that will be receiving 7 years of proper and timely updates is a better bet. Google also seems to have committed to providing parts like screens, cameras and batteries for the entirety of the device's lifetime through ifixit. Could it be easier to replace the battery in the Pixels? Absolutely, and I would love to see OEMs move back to that, but again, that doesn't make a phone like the Fairphone a good choice until it can provide the bare minimum.
I found this thread's discussions very enlightening & wanted to say thanks.
matchboxbananasynergy Pixels should get user replaceable batteries by 2027 if Google want to be able to sell Pixels in the EU if this reporting (& others like it) is accurate:
https://www.androidcentral.com/phones/eu-mandates-replaceable-batteries-2027
I have been testing for my family off & on for multiple years multiple phone OS's including GrapheneOS, CalyxOS, EOS, IodeOS, & LineageOS (loaded all of them and done some testing with one of my kids and I on each).
For awhile we have standardized our family daily drivers on either GrapheneOS or CalyxOS (Pixels or Fairphones).
For awhile I was leaning toward standardizing on Fairphones running CalyxOS for the following reasons (off the top of my head):
1) CalyxOS HAD better google apps support via MicroG BUT now GrapheneOS appears to have taken the lead via sandboxed Google Play;
2) Only Fairphone supported Video Out BUT now reportedly Pixel 8's also do (if you replace stock OS which disables it);
3) Fairphone's self repairability & parts availability was far superior but Google is getting better here (still behind but better);
4) Fairphone's self battery replacement IS way ahead of Google Pixels but that may be forcibly fixed soon...
5) Lack of Android Auto was a pain on both (so neutral on the decision) but now GrapheneOS supports it and that is great;
For me, for a long time, the scales were fairly close (pros/cons on both sides) which is why we ran both as daily drivers...
if I had to give the nod to one or the other awhile back I would lean toward Fairphones w/ Calyx though GrapheneOS & Pixels kept getting better on the areas that I cared about...
For me the scales tipped into GrapheneOS's favor when Sandboxed-GooglePlay + Android-Auto started working & when I heard Pixel 8's now can do Video Out with GrapheneOS...
Hearing of iFixIt related improvements (repairability & parts) for Pixels is also heartening (especially if Pixel batteries are soon going to be easily user replaceable).
Factoring in this thread's security discussion helps reinforce where I was already leaning as it helps understand while the marketing on the Fairphone 5 is not the Panacea it seems at first...
Thanks again for the great discussions.
nodoze
Unless Pixel 2027 fixes the worst pos fingerprint scanner ever that makes me want to smash this phone through a wall, google wouldnt be able to pay me to use this turd. On top of that almost 2 year old bugs on their "flagship" phones (stretched wallpapers on secomdary users, apps that get stuck in app switcher etc). I'm going to use this 7 Pro until GrapheneOS supports it and if there's no good pixel by then or alt to pixel that supports GOS then unfortunately I am back to iOS. Imagine if GOS had the self delete option after 5-10 failed fingerpirnt reads like iOS. Your phone would be wiped daily. And no it's not just my.phone i had it RMAd.and my friend with GOS has the same problrms. GOS is awesome but f google.for halfassing everything they try.
Imagine if GOS had the self delete option after 5-10 failed fingerpirnt reads like iOS
That's not how it works on iOS...
It sounds like you're using a screen protector interfering with fingerprint.
@nodoze GrapheneOS has had sandboxed Google Play since 2021. CalyxOS is a blatantly unsafe choice. You're much better off using an iPhone than a Fairphone or CalyxOS on any device. Providing proper privacy/security patches and not misleading users about privacy/security with cover ups and false marketing is the bare minimum.
GrapheneOS and CalyxOS are very different. GrapheneOS is a hardened OS with substantial privacy/security improvements:
https://grapheneos.org/features
CalyxOS is not a hardened OS. It greatly reduces security vs. AOSP via added attack surface, rolled back security and slow patches.
Compatibility with Android apps on GrapheneOS is also much different. GrapheneOS provides our sandboxed Google Play compatibility layer:
https://grapheneos.org/usage#sandboxed-google-play
Can run the vast majority of Play Store apps on GrapheneOS, but not CalyxOS with the problematic microG approach.
https://eylenburg.github.io/android_comparison.htm is a third party comparison between different alternate mobile operating systems. It could include many more privacy/security features but it's a good starting point.
https://privsec.dev/posts/android/choosing-your-android-based-operating-system/ is an article with more long form comparisons between OSes.
GrapheneOS iOS' closed source nature and mandatory user identification makes it unusable.
mateowoetam There is no way this wasn't written by ChatGPT, right? It's such an incredibly strange way of writing. Are you an actual person?
gosrox Very sorry to hear of your pain. I have had no issues on my Pixel 7 running GOS as my daily driver for many months now. My Pixel 8 Pro recently arrived but I have not had time to install GOS and configuring things to switch from the Pixel 7 to the Pixel 8 Pro but, if I have fingerprint issues on the 8 Pro I will try to remember to circle back. My kids are running GOS on Pixel 6A & 7A with no major issues reported & my memory was/is that I tested finger print access on them fine before giving them the phones.
GrapheneOS Thanks for the good references.
iOS is not an option for me & my family as I don't want closed source, closed/captured ecosystems, luxurytax, etc & I don't want Apple having all my data/etc. Considering Cancel Culture it would be foolish to have so much tied to one company.
My post above was my historical look till now and started well before 2021 as I have been a smartphone user since the 90s & first started using Android devices with my kids in the late 2000s or early 2010s.
For many folk, including me, Google App support was/is a requirement which ruled out GOS until you finally added Sandboxed-GooglePlay in 2021 & then Android-Auto in 2023...
Video-out support is also one of my requirements which GOS could not do until the Pixel 8's supported it in Oct 2023 (except maybe much older Pixels back before you supported google apps). Not everyone can or wants to buy Pixel 8's...
GrapheneOS pardon me but I'm confused by this answer. Isn't the whole point of grapheneos to patch the security vulnerabilities? If GOS does, then even if Fairphone is a little behind in their updates, GOS software can itself be updated to fix any security vulnerabilities.
Or are you telling us that graphene basically is at the mercy of google fixing these vulnerabilities? [removed content breaking forum rules]
[removed content breaking forum rules]
CodexAG Isn't the whole point of grapheneos to patch the security vulnerabilities? If GOS does, then even if Fairphone is a little behind in their updates, GOS software can itself be updated to fix any security vulnerabilities.
Vulnerabilities come in different kinds. Two of the big kinds are vulnerabilities in (1) the binary-only firmware blobs that boot AOSP and run important hardware such as the cellular modem, the Wi-Fi/Bluetooth chip, the GPU, etc., versus (2) vulnerabilities in the open-source part of AOSP.
On pretty much all phones, each firmware blobs is a cooperative effort between a phone vendor and a chip vendor. When there is a vulnerability in the firmware blobs, only those parties can patch the vulnerability and issue a new blob. Sometimes part of the code built into a firmware blob was provided by Google to a phone vendor. But that doesn't mean that when Google provides a patch that the phone vendor will quickly issue a new blob.
Sometimes the GrapheneOS project uncovers bugs in closed-source firmware components. Historically Google has been fast at fixing those bugs when they are found, whether by Google or by outsiders such as the GrapheneOS project. This is less true for other device vendors.
CodexAG Are you telling us that graphene basically is at the mercy of google fixing these vulnerabilities? [removed content breaking forum rules]
Obviously it is up to each one of us to form a personal judgment as to whether to rely on the GrapheneOS project's trust in Google's firmware blobs. But at present it's not clear what meaningful alternatives there are. Vendors such as Fairphone have exhibited dramatic flaws in the firmware they have shipped (example), and their firmware isn't open-source either (FP forum post).
Overall it would be great if there were phones with strong hardware security and open-source firmware, but that day has not yet arrived.
@CodexAG No, the purpose of GrapheneOS is not simply patching specific vulnerabilities which is a tiny portion of the work we do.
As explained earlier in this thread, Fairphone's devices do not meet basic security requirements for hardware, firmware and the software device support including drivers. In theory, drivers could be entirely rewritten over several years and maintained by us, but that's not realistic and is not what we work on doing. It would not change anything about the underlying hardware and firmware security, so the devices still wouldn't meet the requirements. Being 1-2 months behind on High/Critical severity patches and much further behind for other security patches is only one of the problems. Please look at the hardware requirements at https://grapheneos.org/faq#future-devices and check for yourself how many of those are provided by the Fairphone. Even the Fairphone 5 has a CPU core from 2021 without even PAC and BTI.
Your post violates the rules of our forum due to the unsubstantiated claims and misinformation. If you want to participate in the forum, your approach needs to change.
GrapheneOS ok but I thought it was common knowledge google can't be trusted to protect your privacy.
CodexAG No, it's about Google's scale and how much data their services end up having on people. They encourage people to submit lots of data and opt-in to features providing a lot of data. They use this to tailor their services to get you to use them more and to target ads to you themselves. At the same time, they're extremely well regarded for the security of their devices and services. You're buying into a social media echo chamber concept of privacy. The reality is that most companies have far worse privacy practices and people only talk about Google so much because they're such a large company with so much reach. We make decisions based on reality rather than marketing products to people buying into the social media, pop culture and mainstream media concept of privacy and security which is utter nonsense. Our goal is providing private and secure devices, not making money selling products. That makes us a lot different than most projects in this space which exist to earn money for the creators. Open source does not equal good and benevolent. The privacy and security space is full of scammers trying to convince people to buy their products, which requires them to convince people mainstream devices are worse than their own faulty products. You would be better off simply using Signal on a well configured iPhone than nearly any of those products.
Fairphone has an awful track record on security. They don't even acknowledge the issues or state how they're going to be resolving them unless it gets media attention. They claim to provide more software support than they really do. We aren't going to support these insecure devices. They'd need to greatly raise the priority of security, turn it around and acknowledge the past failings as part of changing the culture towards this there. We care about having actually private and security devices. People's perception on that is only relevant to the extent it's needed to expand the project.
Since the thread has been derailed with off-topic unsubstantiated conspiracy theories and misinterpretations of information in leaks about government spying, the thread is being locked. The off-topic discussion has been removed.