To be honest it would be great if the YubiKey could be used as a second factor in addition to the password on mobile.
This would hit two birds with one stone. Firstly it would resolve the reliance on biometrics and also resolve a possible issue older people might have with biometrics as well.
Please feel free to correct me if I am wrong about the YubiKey being usable as second factor on mobile.
But that discussion is quite far off topic even if it is interesting to discuss and speculate.
How to stop the Android 13 update when it was paused
The Fairphone team had the great idea to push the update with a popup instead of a push notification. I thought this update was a Google Play update regarding the app I was using in that moment and quickly clicked “update”.
The Android update was paused because I have the battery saving mode switched on. I do not want to update to Android 13!
How can cancel the ongoing update. It didn’t start to download anything nore install anything.
Well, it appears google has lowered the security rating for the fingerprint sensor used in the FP3 with the release of Android 13 - the initial release of which predates the arxiv upload date of the paper you linked by several months.
That being said, I would not consider it absurd that google had prior knowledge of this attack and took this into consideration when changing their security requirements. Especially when considering that the bounds on the FRR and the FAR required for security level 2 (which the sensor is rated at now) are the same as those required for security level 3 (which the sensor was rated at before). They only differ in the requirement for its SAR (which also poses a lower bound on its IAR). After all the SAR/IAR are the best generalized indicators we have to express how vulnerable a fingerprint sensor is to bruteforce attacks in general.
Gosh, I really wish I had gotten some information about this problem before I was offered the update. Fairphone regularly sends me e-mails to ask what I think about their device, but informing me about this crucial problem was unfortunately not on their radar it seems. Very annoying situation.
There is variant to this, Hanlons Razor: “Never attribute to malice that which is adequately explained by stupidity.”
But I agree seeing malice/complott is rediciolous. Anyway, this is super annoying. (BTW: Austrian here too, but I never used so far “digitales amt” a.k.a. digital office anyway, but also to note maybe untypicially configured it to English main language) got super annoyed noticing FlateXSecure stopped working not allowing me trading anyway. Interesting tough, after deinstalling the app, reinstalling the app, and authenticating it again with a QR-Code and SMS Code it works now (I guess it just now accepts a level 2 security as well). But the other Flatex App to see your account on mobile keeps being bunked. Also fingerprint login to Bank Austria (it asks for the Pin as alternative but I can never remember that nor do I want to enter this 20 digit alphanumeric code every time)
If I knew this I would have NOT upgraded to Android 13, but I got only the message, hey security updates, 1GB download… and bugged me for a month to do this, until I found time and WiFi for it… and now bunkered out. Also rediciolous with Android 11 it was considered secure, but now dark-magically after installing security updates, its not secure anymore…
And also super annoyed this is a non-exchangeable part, I mean seriously, I was excited from the whole FP concept, but things like these make me question the whole premise. Next time I rather buy a cheap throw away phone after a few years again…
But seriously in that case they should have not used this kind of chip with a closed firmware blob and a manufacturer that does not subscribe to a longlivity idea as FP does. I would rather have more understanding if they said, “sorry its in the hardware fix soldiered, rather than oops no new firmware from chip supplier”.
I’m still quite mad about this, a 3 year old device a core functionality has been bunked (and no it affects multiple Apps for me that I cant fix) and to blame the apps is also a weak evasion. And yes the whole premise of FP was longlivity, since otherwise with the same functionality set at a given moment one could get cheaper and small form factor on the market… You buy the FP3 for the premise of repairability and longilvity and then oops, used a chip that doesnt care…
In a case like this there must be a new firmware or not the respective Android 13, and if it needs to be absolutely Opt-In. Few normal user will read all the updat notices considering if the message that pops them up that strongly suggests to make an update for security reasons, is actually a good idea. If at all it needs to be in bold red letters not to upgrade if you want to use your banking apps, or eGoverenment, or securities trading… now all you can do is unlock the device with it, which is more inconvenient than a pattern anyway was (since I always had to hit the fingerprint readers 2-3 times to register anyway).
PS: And please note the description above about Google guidelines and pins and so on is basically just a long winded way of saying “fingerprint sensor got broken, but you dont need it anyway, you just didnt realize…” and enough people ate that.
hmmm, then I guess the FP3 would not have had a fingerprint reader at all.
Because on the one hand, I doubt that there are even suitable fingerprint readers with open source firmware. At the firmware level, closed source is still the de facto standard in many areas.
And secondly, I don’t know if Fairphone had enough economic power at the time to force other companies to provide firmware updates for longer than they had planned.
They probably just laugh when a company that only orders a few tens of thousands demands something like that.
I can only speak for myself, but here in Switzerland I don’t have a single banking that doesn’t work with iodéOS (LineageOS fork). The same goes for friends and family members.
So no, I don’t think this is a general problem with custom ROMs nowadays.
But a lie would imply that Fairphone knew years in advance that this would happen when they were still selling the FP3 and didn’t inform their customers - I don’t think that’s the case here.
And the FP3 is still supported - both software-wise (as you know, it has been updated to A13) and software-wise (spare parts).
The claim that the FP3 is now no longer supported is not true at all.
What I searched depends on the App if it checks for bootloader/kernel flags, there used to be a feature to lie to the App but that has been removed on newer versions again. Anyway, all this “but custom ROM” argument is in other words “you support it yourself”, so in this regard, why buy a long support phone? Custom ROMs I can do on cheaper phones with no updates.
Look, that is not how support works. If you promise to support a system you need to secure yoursel support for all components. “Didn’t know the componant had an issue” is not how support works. So in this regard, the promise is a lie and if no chip manufacture offers this, then the whole concept is not working.
And yes, they did stop supporting the fingerprint reader as authentication service (other than low level like unlocking the phone). Now they are pointing to other companies… but Google, but the chip manufacturer… Look customer should not care, the customer bought a system with a promise, either FP should have argued with Google (as been posted above they did losen requirements for already in the field phones before) or they should have secured a contract with their chip manufacturer or better yet an OpenHardware design as basis. And yes, if this is not available, then the whole concept is not feasible as been sold.
The fingerprint reader was working fine before, then an update came, and no putting it somewhere down in the release notes does not “solve” the issue, much less forgetting to put it in the first place. FP broke a key feature and now they say “we are not going to fix it because of other companies”. Also the representative saying with many words “but you actually dont need the fingerprint reader (albeit many do)” is just beyond redicolous. This is and stays unacceptable and all this fan excuses only make the emotions about it more maddening, so please just stop. You are making it just worse… Anyway, as this issue demonstrates I cannot recommend but warn all my contacts about the FairPhone, with the states as is it seems to better to buy cheaper throw away phones, and for this it doesn’t matter if its FP own fault, or they are living in an industry environemnt that makes the requirements for the promises they are given in essence unfullfilable.
@ all I think we heard now all opinions about this and repeating one or the other will not change anything and everyone can draw their conclusion, so I would kindly ask to stop those repetitions from all ends.