I disagree a bit with your wording 
It’s weasel wording the issue. Most code is insecure, it’s just not known yet. But if a known and exploitable bug (that can impact the user/it’s data) exists in the latest ROM of a phone, it’s an insecure ROM and it needs to fixed. It’s not about the phones hardware, it’s all about the company selling not caring about their users/the older product sold. (Yes, Fairphone is not MTK/Qualcomm, I know, but this is why the users need to know how long the company will support the SoC = contracts)
Exactly. And this is the reason why Fairphone is probably a better choice than other manufacturers which sell a phone and never provide updates.
My wording was probably wrong when I said “Don’t worry”. Of course, you should always worry about security of your devices in general. What I meant is that Fairphone is not any less secure than other phones.
Would be nice though. My current phone that gets replaced by the FP2 is second hand, so I don’t know how old it is exactly, but the model (Nokia 1100) is 12 years old and it’s still functioning (after combining the best parts of both 1100’s I own, I should say). Would be lovely to see such sturdiness in the FP2.
*sorry for the necro reply, I hadn’t seen this thread before so I thought it was new, but I’m replying to someone talking in augustus. Hello! I’m from the future, the Fairphone 2 has landed in Holland yesterday 
.
2 Likes
I disagree with you, @jftr: The FP1 may be “as secure” or even more secure than other 2 yrs old phones, but for many others you can flash a functional (!) custom ROM and prolong its life for much longer. This does not only apply to the Nexus line. E.g. there are working Android 6 ROMs for the HTC Desire HD, a single-core device released in September 2010 (more than 5 years ago!). This allows you to use this 5yrs old device with security updates for all issues found in these years! Of course, its performance may not be what everyone expects, but it’s a good choice for people who basically want to phone, send messages and browse the web - which applies to probably > 70% of the smartphone population.
=> the FP1 is less secure than a lot of other 2yrs old phones, provided you use a custom ROM.
Of course you could argue that the FP team is trying to provide updates directly from the manufacturer instead of “just” the community. This indeed makes the FP different on a theoretical basis. But looking at the actual facts, the FP1 is mostly industrial waste due to the unfixed Webview vulnerability. There is not much of a point in providing security updates for libstagefright and friends while still having this high impact hole open. This just gives people a false feeling of “getting security updates” while in fact they are still using a highly vulnerable deivce.
So, just before coming back to the Android 6.0 for FP2 topic: Why can’t fairphone provide this update for FP1? Well first, they can’t upgrade to Android 4.4 where the issue is “fixed” (by using a different web framework) due to chipset manufacturer issues. And second, they theoretically could fix the issue in Android 4.2, but this would require a lot of work which FP is obviously not willing or not able to do. Now imagine we will experience a comparable vulnerability of this type in Android 5.1 and again Google will only provide a fix for Android 6.0. What will happen? Exactly the same! This is why providing the update for Android 6.0+ is so crucial.
I asked for confirmation if they have access to the Android 6 code or if Google or QC is doing something like a stacked release. No answer yet.
1 Like
Since it is possible to upgrade (community Kitkat port) I trust Fairphone that they will do everything they can legally do to provide an official upgrade to Kitkat for the FP1.
And even if not, one can follow the tips for improved security for the FP1(U). (There has been a lot of discussion about security already. I’d like to ask you to read through the forum a bit, if you are interested. 
)
But back on topic: I’ve read that other phones with the FP2’s Snapdragon 801 have received upgrades to Android 6. Additionally Fairphone promised to release the source codes, so even if they cannot provide an upgrade themselves, the community will be able to do so.
3 Likes
@Stefan is right. lets stay on topic. there is two things i would like to say anyway:
we have a quite functional custom rom now thanks to @chrmhoffmann.
that is an assumption.
- fairphone is releasing security updates regulary. the FP1 was one of the first devices to recieve a stagefright fix, for example.
- crmhoffmann is even faster with some updates then the nexus ota images.
me too. and note porting a OS takes time. for the xperia z3 line for example (snapdragon 801), sony provides AOSP sources and binaries for 6.0 since a while now, still the official update seems to be at least two months away.
3 Likes
This is not about source code (which is mostly all GPL or Apache2 licensed) but about the proprietary vendor files (aka blobs) which MTK probably didn’t allow FP to distribute. Regarding the FP2 it would be interesting to know whether FP gained the permission from QC to distribute these files (like obviously Sony got) or if they are still negotiating (well, FP and transparency, the good old story). The sad thing here is that QC also does not publish these files themselves (unlike their CAF kernels) but - just like MTK - they only give them to the vendors directly, connected to terms for redistribution.
Unfortunately, none of these is effective in adressing the Webview vulnerabilites. Even the “visit only trustworthy websites” stuff is not effective, as we’ve seen in the past that some malware is distributed e.g. by ads shown on trustworthy websites. The bigger issue here is that just any app can make use of the Webview component, and then it’s pretty hard to check / control if the traffic goes exclusively to “trustworthy” websites. Furthermore, if you look at apps which display contents via Webview from social networks - you can only regard the network as “trustworthy” or not, but the network usually doesn’t have much control about the contents the users put there.
You can get the source code for the FP1 as well, including the MTK sources for the kernel. Still this does not help, as the device relies on those closed source blobs which only the vendor can provide (unless somebody comes up with a free replacement).
My last update was that it was not very functional (especially regarding bluetooth problems), but if this has changed meanwhile that’s very good news.
There is no real advantage in running a system which has a 3 months old hole fixed while having a 1 years old hole still open. Often, attackers (especially the less talented ones) are exploiting rather older security holes.
The validation and certification process through which official OS updates by the vendors have to go through before being released is very lengthy and complicated. Especially, when vendors provide various “branded” variants. There are loads of articles explaining this, e.g. this one:
@jftr Thanks for the answer. But it shows that even fairphone can’t break the circle of phones that are build to last only something about two years. That really pi*** me off with all the phones out there. I’ll give the fairphone a go and see how far it takes me…maybe in two years there is going to be a OS with the focus to be used more than two years (and its available for the FP2).
2 Likes
That’s really great
Oh, hello! Here in august we’re still wondering if our national Dutch football team can qualify for the european championship next year! I bet they will! Ha ha, ha… ha… ha… uhhhr 
4 Likes
Not aware of any outstanding BT issues.
Maybe you should just try it?
Chris
1 Like
@chrmhoffmann and @Stefan
As I mentioned already in comment 65 - this was my last info from a while ago, so I am happy if the issues are solved meanwhile.
Just for the record: I meant that the bluetooth issues are not solved in Cyanogen Mod, but in @chrmhoffmann’s second ROM, namely Android Kitkat for FP1.
3 Likes
Now the fairphones are getting distributed (I got mine yesteray 
), I hope we can see the FP team getting some more time in thinking about updates.
I’m holding out for an official announcement somewhere beginning February once the dust settles on the initial delivery & support for those.
1 Like
I think that the next Android version should be the deadline for having 6.0 working on the fairphone 2, if they want to sell the fairphones 2 in 2016 (or longer).
1 Like
I got my FP 2 last week already (thanks) and I’m already talking with friends about the bad Android 5.1 bugs and limitations. Sorry.
Currently I struggle to recommend the phone as many thinks don’t work well … as before with my old one.
My ‘old’ Galaxy Nexus III is 4 years and 2 month old and the original (unchanged) Google Android 4.3 is much much better.
Please update the FP 2 to 6.xx or downgrade to 4.3 (4.4 is bad too) asap !!!
Until then I need to use the old Nexus in parallel as the 5.1 is not stable and not usable 
BR, Joachim
2 Likes
5 posts were merged into an existing topic: Misbehaving Apps - fix expected for next update; workaround: re-enable privacy impact
After 18 days I’m also very disappointed with Android 5.1 on my FP2.
Since today it doesn’t work and I had screen freezing and restarts in the last 14 days…
Because this is in the Android 6.0 thread: I doubt the instability you describe is related to 5.1. I work with a lot of Android phones, and I cannot say Android 5.1 is generally more buggy than any other release. It works quite stable in fact.
1 Like