• GeneralSolved
  • 8y security updates on FairPhone 5, will the devs consider porting GrapheneOS?

4 months later

I found this thread's discussions very enlightening & wanted to say thanks.

matchboxbananasynergy Pixels should get user replaceable batteries by 2027 if Google want to be able to sell Pixels in the EU if this reporting (& others like it) is accurate:

https://www.androidcentral.com/phones/eu-mandates-replaceable-batteries-2027

I have been testing for my family off & on for multiple years multiple phone OS's including GrapheneOS, CalyxOS, EOS, IodeOS, & LineageOS (loaded all of them and done some testing with one of my kids and I on each).

For awhile we have standardized our family daily drivers on either GrapheneOS or CalyxOS (Pixels or Fairphones).

For awhile I was leaning toward standardizing on Fairphones running CalyxOS for the following reasons (off the top of my head):

1) CalyxOS HAD better google apps support via MicroG BUT now GrapheneOS appears to have taken the lead via sandboxed Google Play;

2) Only Fairphone supported Video Out BUT now reportedly Pixel 8's also do (if you replace stock OS which disables it);

3) Fairphone's self repairability & parts availability was far superior but Google is getting better here (still behind but better);

4) Fairphone's self battery replacement IS way ahead of Google Pixels but that may be forcibly fixed soon...

5) Lack of Android Auto was a pain on both (so neutral on the decision) but now GrapheneOS supports it and that is great;

For me, for a long time, the scales were fairly close (pros/cons on both sides) which is why we ran both as daily drivers...
if I had to give the nod to one or the other awhile back I would lean toward Fairphones w/ Calyx though GrapheneOS & Pixels kept getting better on the areas that I cared about...

For me the scales tipped into GrapheneOS's favor when Sandboxed-GooglePlay + Android-Auto started working & when I heard Pixel 8's now can do Video Out with GrapheneOS...

Hearing of iFixIt related improvements (repairability & parts) for Pixels is also heartening (especially if Pixel batteries are soon going to be easily user replaceable).

Factoring in this thread's security discussion helps reinforce where I was already leaning as it helps understand while the marketing on the Fairphone 5 is not the Panacea it seems at first...

Thanks again for the great discussions.

    nodoze
    Unless Pixel 2027 fixes the worst pos fingerprint scanner ever that makes me want to smash this phone through a wall, google wouldnt be able to pay me to use this turd. On top of that almost 2 year old bugs on their "flagship" phones (stretched wallpapers on secomdary users, apps that get stuck in app switcher etc). I'm going to use this 7 Pro until GrapheneOS supports it and if there's no good pixel by then or alt to pixel that supports GOS then unfortunately I am back to iOS. Imagine if GOS had the self delete option after 5-10 failed fingerpirnt reads like iOS. Your phone would be wiped daily. And no it's not just my.phone i had it RMAd.and my friend with GOS has the same problrms. GOS is awesome but f google.for halfassing everything they try.

      Imagine if GOS had the self delete option after 5-10 failed fingerpirnt reads like iOS

      That's not how it works on iOS...

      It sounds like you're using a screen protector interfering with fingerprint.

      @nodoze GrapheneOS has had sandboxed Google Play since 2021. CalyxOS is a blatantly unsafe choice. You're much better off using an iPhone than a Fairphone or CalyxOS on any device. Providing proper privacy/security patches and not misleading users about privacy/security with cover ups and false marketing is the bare minimum.

      GrapheneOS and CalyxOS are very different. GrapheneOS is a hardened OS with substantial privacy/security improvements:

      https://grapheneos.org/features

      CalyxOS is not a hardened OS. It greatly reduces security vs. AOSP via added attack surface, rolled back security and slow patches.

      Compatibility with Android apps on GrapheneOS is also much different. GrapheneOS provides our sandboxed Google Play compatibility layer:

      https://grapheneos.org/usage#sandboxed-google-play

      Can run the vast majority of Play Store apps on GrapheneOS, but not CalyxOS with the problematic microG approach.

      https://eylenburg.github.io/android_comparison.htm is a third party comparison between different alternate mobile operating systems. It could include many more privacy/security features but it's a good starting point.

      https://privsec.dev/posts/android/choosing-your-android-based-operating-system/ is an article with more long form comparisons between OSes.

        gosrox Very sorry to hear of your pain. I have had no issues on my Pixel 7 running GOS as my daily driver for many months now. My Pixel 8 Pro recently arrived but I have not had time to install GOS and configuring things to switch from the Pixel 7 to the Pixel 8 Pro but, if I have fingerprint issues on the 8 Pro I will try to remember to circle back. My kids are running GOS on Pixel 6A & 7A with no major issues reported & my memory was/is that I tested finger print access on them fine before giving them the phones.

        GrapheneOS Thanks for the good references.

        iOS is not an option for me & my family as I don't want closed source, closed/captured ecosystems, luxurytax, etc & I don't want Apple having all my data/etc. Considering Cancel Culture it would be foolish to have so much tied to one company.

        My post above was my historical look till now and started well before 2021 as I have been a smartphone user since the 90s & first started using Android devices with my kids in the late 2000s or early 2010s.

        For many folk, including me, Google App support was/is a requirement which ruled out GOS until you finally added Sandboxed-GooglePlay in 2021 & then Android-Auto in 2023...

        Video-out support is also one of my requirements which GOS could not do until the Pixel 8's supported it in Oct 2023 (except maybe much older Pixels back before you supported google apps). Not everyone can or wants to buy Pixel 8's...

        a month later

        GrapheneOS pardon me but I'm confused by this answer. Isn't the whole point of grapheneos to patch the security vulnerabilities? If GOS does, then even if Fairphone is a little behind in their updates, GOS software can itself be updated to fix any security vulnerabilities.

        Or are you telling us that graphene basically is at the mercy of google fixing these vulnerabilities? [removed content breaking forum rules]

        [removed content breaking forum rules]

        • de0u replied to this.
          • Edited

          CodexAG Isn't the whole point of grapheneos to patch the security vulnerabilities? If GOS does, then even if Fairphone is a little behind in their updates, GOS software can itself be updated to fix any security vulnerabilities.

          Vulnerabilities come in different kinds. Two of the big kinds are vulnerabilities in (1) the binary-only firmware blobs that boot AOSP and run important hardware such as the cellular modem, the Wi-Fi/Bluetooth chip, the GPU, etc., versus (2) vulnerabilities in the open-source part of AOSP.

          On pretty much all phones, each firmware blobs is a cooperative effort between a phone vendor and a chip vendor. When there is a vulnerability in the firmware blobs, only those parties can patch the vulnerability and issue a new blob. Sometimes part of the code built into a firmware blob was provided by Google to a phone vendor. But that doesn't mean that when Google provides a patch that the phone vendor will quickly issue a new blob.

          Sometimes the GrapheneOS project uncovers bugs in closed-source firmware components. Historically Google has been fast at fixing those bugs when they are found, whether by Google or by outsiders such as the GrapheneOS project. This is less true for other device vendors.

          CodexAG Are you telling us that graphene basically is at the mercy of google fixing these vulnerabilities? [removed content breaking forum rules]

          Obviously it is up to each one of us to form a personal judgment as to whether to rely on the GrapheneOS project's trust in Google's firmware blobs. But at present it's not clear what meaningful alternatives there are. Vendors such as Fairphone have exhibited dramatic flaws in the firmware they have shipped (example), and their firmware isn't open-source either (FP forum post).

          Overall it would be great if there were phones with strong hardware security and open-source firmware, but that day has not yet arrived.

          @CodexAG No, the purpose of GrapheneOS is not simply patching specific vulnerabilities which is a tiny portion of the work we do.

          As explained earlier in this thread, Fairphone's devices do not meet basic security requirements for hardware, firmware and the software device support including drivers. In theory, drivers could be entirely rewritten over several years and maintained by us, but that's not realistic and is not what we work on doing. It would not change anything about the underlying hardware and firmware security, so the devices still wouldn't meet the requirements. Being 1-2 months behind on High/Critical severity patches and much further behind for other security patches is only one of the problems. Please look at the hardware requirements at https://grapheneos.org/faq#future-devices and check for yourself how many of those are provided by the Fairphone. Even the Fairphone 5 has a CPU core from 2021 without even PAC and BTI.

          Your post violates the rules of our forum due to the unsubstantiated claims and misinformation. If you want to participate in the forum, your approach needs to change.

            GrapheneOS ok but I thought it was common knowledge google can't be trusted to protect your privacy.

              CodexAG No, it's about Google's scale and how much data their services end up having on people. They encourage people to submit lots of data and opt-in to features providing a lot of data. They use this to tailor their services to get you to use them more and to target ads to you themselves. At the same time, they're extremely well regarded for the security of their devices and services. You're buying into a social media echo chamber concept of privacy. The reality is that most companies have far worse privacy practices and people only talk about Google so much because they're such a large company with so much reach. We make decisions based on reality rather than marketing products to people buying into the social media, pop culture and mainstream media concept of privacy and security which is utter nonsense. Our goal is providing private and secure devices, not making money selling products. That makes us a lot different than most projects in this space which exist to earn money for the creators. Open source does not equal good and benevolent. The privacy and security space is full of scammers trying to convince people to buy their products, which requires them to convince people mainstream devices are worse than their own faulty products. You would be better off simply using Signal on a well configured iPhone than nearly any of those products.

              Fairphone has an awful track record on security. They don't even acknowledge the issues or state how they're going to be resolving them unless it gets media attention. They claim to provide more software support than they really do. We aren't going to support these insecure devices. They'd need to greatly raise the priority of security, turn it around and acknowledge the past failings as part of changing the culture towards this there. We care about having actually private and security devices. People's perception on that is only relevant to the extent it's needed to expand the project.

              Since the thread has been derailed with off-topic unsubstantiated conspiracy theories and misinterpretations of information in leaks about government spying, the thread is being locked. The off-topic discussion has been removed.

              admin locked the discussion .