FAIRPHONE 3 and 3+ A13 - Fingerprint sensor update

As a beta-tester . . . . There never was a problem in . . . . importance, it was not a fixable issue.

The worse thing was pushing it without a CLEAR warning that the reader is downgraded.

1 Like

You make a fair point, but in the case I give my unlocked smartphone to my kid or my unlocked smartphone gets stolen out my hands it having an additional layer (be it fingerprint or PIN or password) helps with risk mitigation.

1 Like

Not working : Enpass, Wise, UBS, La Banque Postale
Working : Lockwise

Apparently, the problem with certification of biometric devices comes from Google.

The Fairphone 3 fingertip reader was certified as Level 3 in Android 11, but Google downgraded this sensor to Level 2 in Android 13. In other words, the smartphone becomes useless because it can no longer be used as before, for many very important transactions even before as every bank, financial, medical, professional applications. I Worse: this biometric level parameter is not known or published anywhere, for any phone. So: even when buying a brand new phone, we are not sure that it is level 3 certified!

The core value of Enpass application (password bank) is the encryption of data files containing passwords. Of course, for the encryption to be done securely, the passphrase must be long and complicated. Without biometrics, we have to type this code by hand each time we need to retrieve a password. It is long, complicated, difficult and error-prone. I have to re-type it several times to get it right.

The solution is, of course, to use a short and simple passphrase, but this is not compatible with the security requirements of such a tool. A simple passphrase means simplification of finding it, therefore - danger of losing all the passwords we have. This is not compatible with the security requirements…

In this situation, I do not know what to do? Change phone? but, how to know the level of certificate of the new telephone?

So, this is an unexpected and unknown problem that has just appeared. It didn’t exist before, nobody knew about it. I don’t think anyone has come up with a solution…

Fairphone 4 is certified 3? What about Fairphone 5 ?

4 Likes

Does it matter, considering Google can downgrade this in software anytime “for reasons”?

Re-evaluate whether to chain processes to the functionality of a fingerprint reader is really such a good idea and pressure App makers which don’t offer alternative means of authentication to fix their obviously broken App design.

1 Like

“fix their obviously broken App design”

it is not “broken design”. The fingerprint reader do not comply with certification level 3 requirements. this is a result of series of security tests, not “broken design”.

1 Like

If an App needing authentication doesn’t work without a fingerprint reader, I call that broken design, because there might be no such reader, or it might fail reading. Question of simple problem awareness.

We can all agree the current degradation is not a good situation for users and for Fairphone for various reasons, and the collectively desired outcome would be to get the functionality back in Fairphone OS. How realistic that is, we’ll have to see.

I just don’t like the narrative “the phone is near unusable now” to stand alone.
The fingerprint sensor is convenience first and foremost, and convenience is nice to have. But using the feature is a choice, and making Apps requiring it without an alternative (!) is a choice (and a bad one). Plan Bs are not the preferred choices for reasons, but at least they need to be in place to be available when needed.

6 Likes

I agree. Phone is still usable but this upgrade will make life far more awkward for many. Some people don’t use the fingerprint besides on the unlocking screen so they won’t care, but Fairphone have proved (to me) they cannot be trusted as they don’t listen to their BETA testers and roll out updates with known problems without any notification or followup. In the first post on this thread a FP employess stated the roll out had been stopped, yet they started it again with no notification (unless I missed something?).

I paid for a phone that had a fully functional and trusted fingerprint sensor. This Google upgrade removes that trust (as far as banks are concerned) therefore should never have been rolled out OTA and only been offered a download option.

3 Likes

Yes, you missed something, it is already posted twice in this thread.

There is now a notice of the issue in the text the updater presents before updating (German screenshot).

I think it’s safe to assume most of us here would have handled this differently than we witnessed it playing out in practice.

If said Apps really care about security, they should also stop working shortly after security update support runs out for base Android 11 (I guess Fairphone wouldn’t be able to go on much longer with Android 11, backporting patches without Google support), which would be early 2024 if prior Android versions are any indication.
That being said, the time until then could have been put to good use much differently than Fairphone did now.

3 Likes

You are just repeating the same things again and again so I do…

The beta testers knew the fingerprint reader problem and at each new beta release this was mentioned in the release notes. Fairphone mistake was not to do it for the final release.

If you explain beta testers the hardware is not considered as safe as it was and that it implies downgraded possibilities for the fingerprint reader, they accept it (not without complaining a bit it is inconvenient).

The rollout started again after adding the fingerprint reader problem in the release notes. If this information had been in them at the first rollout, it wouldn’t have stopped since the problem was the lack of communication and not the fingerprint reader being downgraded.

1 Like

Dont forget that most people would never do a manual install, so that would be in my eyes the worst option ever, as this would cause thousands of vulnerable phones, as other manufacturer would cause by stopping updates early.

Overall it is at is is now and thinking over and over again about the intitially missed communication will not change anything. I guess the apps dont offering another way than to use the fingerprints are luckily not too much, so most people will be able to use their phones still and if its too uncomfotable, then they need to think about options.

2 Likes

For all we know it’s just one single app so far: App "Digitales Amt"
And the way I understand their FAQ it’s possible to use the federal services offered via app also via browser, but I’m not sure here.

I just hope that everyone who complained here about that app no longer working also contacted the app developers/the government body responsible for the online services. Otherwise, how would they learn that some users can’t use the app like designed? So that they at least can extend their FAQ about this issue, or even better implement a fallback for a future version.

I agree for situations where I’m sitting at my desk and have all the time in the world to e.g. confirm a 2FA secured login or banking transaction.

But I really don’t want to type my long master password of the password manager app in order to copy the app password of my carsharing app in order to open the car in front of me in the middle of heavy rain where the raindrops interfere with typing on the touchscreen.

2 Likes

Here are the new release notes, including the notice about the fingerprint reader: https://support.fairphone.com/hc/en-us/articles/360048139032-FP3-Fairphone-OS-release-notes#h_01GMTQRVTY2YE5ZNSBP6WXP2AH

  • Please note: due to updated Android security requirements, the fingerprint sensor at the back of the device can no longer be used to log into certain apps with higher security requirements, such as some banking apps. The fingerprint sensor can still be used to lock and unlock the device itself and the affected apps can still be accessed using a PIN or password for login.

The link can be found in the notes of the update, which I received this morning (FP3. Carrier service: Pepephone, in Spain). Here is a screenshot of the English version:

2 Likes

never seen an app with ONLY fingerprint reader as option! You’re right.
But what are the options you’re working on? Sensor replacement? Your DNA is modularity…?
Please keep us posted…thx

More infos about an upgraded Fingerprint-Modul:

In my eyes just standard-support-blabla and not really an answer.
For me its somehow frustrating. I think, if you can’t fix it in software, changing the Fingerprint-Modul is the only correct and secure solution for this problem. Whats the point of making a phone modular if you just don’t use the full potential.

For me this case is closed.
I check out the next weeks how much this issue sucks me and then live with it or try LineageOS or go to a new phone. Maybe a FP5 because i like the fairphone-spirit, but i need to rethink this first.

7 Likes

Officially by a fairphone employee? If so I can’t find the posts. :thinking: I will look again.

Agreed. I guess that will be early 2024?

I can’t argue with that. You are right.

Thanks for posting your reply from FP . Reply skipped over your question entirely. Everything they told you, we already knew thanks to this community and the guardian angels.

I’m dissapointed with this developement, but it is what it is.

Is it possible to downgrade to A 11 without loss of data?

No sadly :frowning: . . . . . . . .

Not under normal circumstances, because under normal circumstances the bootloader is locked. Unlocking it to do the manual install will wipe user data for security reasons, locking it will do the same.


(Even with an unlocked bootloader there’s still Android rollback protection, which will force a data wipe after a downgrade to an older Android version for security reasons. I know that an older security patch level will trigger this, but the patch level of the last Android 11 release and the new Android 13 release seem to be the same - June 5. What I don’t know so far is whether this would be triggered because 11 is an older version than 13.)

6 Likes

The message is ‚officially‘, not the poster, as this is a user forum.