I always search manually because I am eagerly waiting for the updates.
I only search for updates when I’m on my home wifi.
Provider: yesss (A1 network) in Austria.
I do not remove SIM - why should I?
No cache cleared until now.
I see its not the first time you get updates delayed. did you ever contact support, to see if there is any OTA glitch with your IMEI? Maybe its for whatever reason connected to the provider?
because
3 Likes
While there is little to nothing that can be done (by us) about the zero click that this thread is ultimately about, there are ways of mitigating the fact that you’re behind on updates in other ways.
The most obvious risk is your browser. If you use a browser that supports disabling JIT you’re ultimately a lot more secure.
The downside? The only browser that seems to support that on Android, while also being up to date, is Cromite, which has to be downloaded from F-Droid rather than the Play Store.
But if you’ve got 5 min to spare, you may want to check it out.
Maybe someone should make a dedicated security thread?
1 Like
I tried it now. Switched off SIM and checked for Update.
“Your system is up to date”
Deactivating the SIM did not help.
Furthermore, I did not find any blocking messages for my FP4 in my local pihole.
Is it possible, to manually download the update on phone und start it?
no not without unlocking the bootloader and loosing all data.
so back to:
did you ever contact support, to see if there is any OTA glitch with your IMEI? Maybe its for whatever reason connected to the provider?
Edit: no idea if this helps or not
Thanks for the advice but pihole isn’t to blame.
I checked it twice, there’s nothing blocked, when update runs.
Which support team should I contact? FP support or the provider’s support?
I would try FP’s support first.
Or just use Firefox with the NoScript add-on. Caveat: It’s for techies only, because it preemptively breaks all internet, and you have to fix it manually, site by site!.. (The point being that this also breaks all malevolent scripts: You only run those you trust.)
2 Likes
Firefox doesn’t have the same type of isolation as Chromium based browsers, unfortunately.
Also, I’ve tried using NoScript in the past. It almost drove me insane.
1 Like
Why, it’s pretty straightforward IMHO. Tedious, especially when you’re new to it, but after a while it’s not more hassle than changing gears in your car: You have a list of script domains which are always blocked (like ads and trackers), and you have to temporarily allow scripts of websites you (need to) trust. Or even whitelist them if you use them frequently. For instance, on this page I’ve whitelisted “fairphone[.]com”, but “googletagmanager[.]com” is always blacklisted. 
That’s all there is to it. Obviously you need to know what “somestrangename[.]com” is supposed to be, and if blocking it will break the page, but after some trial and error you learn.
I don’'t know about Chrome’s supposed superior capacities, all I know is it comes from Google, and thus is entirely and exclusively designed to monetize its users.
I do have a flavor if Chromium installed, because some incompetent web designers create Chrome-only websites (who remembers “Best viewed in Internet Explorer”?..), but I’ve been using Firefox for many, many years, actually since Netscape went the way of the Dodo, killed by an greedy and ambitious Microsoft… Nowadays Google has replaced Microsoft in trying to control Internet commerce (billions of €…), and I don’t like monopolies and monocultures. Everybody already forgot the time some 20 years ago when about any installer (Adobe updates…) also silently installed Chrome, secretly replacing your default browser. I must have uninstalled Chrome over a hundred times… 
So no, for me Chrome/-ium is a dirty word.
/rant
2 Likes
The issue is that I want to visit a lot of different sites every day and adding every single issue site to NoScript just wasn’t all that exciting to me. It took me out of the flow for what was ultimately, in my eyes, a minor security increase.
On my Windows computer I already run Waterfox in Sandboxie with settings so hardened that Waterfox can barely access anything outside of the Waterfox profile folder. For shady sites I run Mullvad Browser in Windows Sandbox, also hardened.
On my Fairphone however, I don’t have an extra sandbox or anything, but Cromite has plenty of hardening that most other mobile browsers lack.
I get it. Being forced to use Chromium blows. But IMO both Brave and Cromite are pretty great mobile browsers. Brave is very plug and play and comes with HTTPS Everywhere and AdBlock. Cromite comes with JIT being disabled by default, increasing the security.
Personally, I’m hoping for Firefox to soon add similar sandboxing to Chromium, as I really, really want Firefox to succeed.
But IMO, if you don’t want to use NoScript or something similar, Cromite is the best security option for Android today.
Well, it’s just two clicks, but I understand it might get tedious.
I don’t do much sightseeing, I mostly have a fixed number of sites I visit. 
Well, Firefox too (not Adblock, but a similar feature, although I prefer using uBlock Origin. Why settle for less?)…
How is that different from NoScript? (Genuine question) 
That should break all and every website, forcing you to manually allow specific scripts to make it work again. Just like NoScript, no?
JIT doesn’t disable the scripting, it is just a safer, but slower way to run it.
The JIT engine is very complex program and also has to set memory writable and executable which prevents use of certain security features and makes exploits easier.
In nearly every Chromium release, there are JIT related security fixes.
I cover which browsers do and don’t have it enabled here: Browsers - DivestOS Mobile
Android also uses a JIT to run apps as part of ART, which systems use it are covered here: Comparison of Android ROMs
You should not use HTTPS Everywhere (even EFF says so), both Chromium and Firefox have these built in now.
And uBlock Origin is superior to any other blocker.
(I understand this is in context of Brave having those as features, just should be noted)
Cromite does not have CFI enabled like Vanadium & Mulch, and often is a few days to a week behind them too.
So for security wise, Vanadium and then Mulch are the best.
For privacy, I still recommend my Mull or Tor Browser.
2 Likes
Yeah I saw that on GitHub just now. Sadly, Daniel Micay decided to be a dick as usual instead of letting the Cromite developer use the Vanadium patch for it. Oh well.
I’ll definitely check out Mulch though. Any plans of adding an adblocker for it? The only thing I value more than the integrity of my device is the integrity of my brain. And that’s sadly under attack daily by sleezy ads everywhere.
To me, it’s not necessarily about the two clicks per site. The issue to me is mostly “if I’m allowing every site I’m visiting manually, why not just do it by default?”
I tried running Microsoft Defender Application Guard with NoScript once upon a time and while it’s probably the safest way of browsing I’ve ever used, it was also one I had to endure.
I dream every day of a virtualized browser that isn’t slow as hell.
Sorry guys, but the topic is December Android update, nothing else.
5 Likes
I’m very happy to read that releasing updates faster is on the agenda of the developers at Fairphone. A month after Google’s release is too long, we need security patches much sooner than that. Hope they will make it happen!
1 Like
Reminder that vendors actually get early access to the monthly security updates, as in Fairphone should have access to the January and maybe even February 2024 security patches as of today.
I think that was already explained and discused in detail above
11 Likes