Fairphone’s approach to root on the Fairphone 2

keesj · January 7, 2016, 4:20pm

The Fairphone community is asking questions about the rootablity of the Fairphone 2. I will try to explain some of the considerations we have to make when allowing to root your phone or not. But first I need to explain a little more what we are talking about.

Android security model

For this discussion it is important to understand how application (apps) are installed, started and are prohibited from doing harmful things.

Applications in Android are cryptographically signed by their author before they are put in the application store (app store). When a user decides to install an application he will typically accept the permissions that the application requests, and if so, a privileged Android component will install the application package (APK) on the user’s phone. By doing so, the application installer will write the granted permissions in a location on the phone where the application itself is not allowed to write. This is intended to prevent an application from modifying its own permissions.

In short, there are different applications on a running phone and the security model allow you to be able to put some trust in running an application: An application that does not have the permission to read contacts cannot read your contacts. The digital signature also allows the developer to prove to the system that he is the original author and this grants him the permissions to update its own application. This is simply a mechanism that the Android developers created to prevent different applications to impersonate each other and to force applications to declare the permissions that they need.

Another design choice of Android is to assume that the system partition can only be modified by performing a system update (it puts more trust and privileges in applications installed there). The other partition, the data partition, will contain apps and data for applications downloaded via the app store. This data partition is writable but different applications are prohibited from accessing one another’s data.

Root access

The danger with this security model is that it assumes the above. e.g. content can not be modified without the correct permissions and the system folder is read only. Applications like Superuser are specially designed to work around this model and they do this in such a way that application isolation is lost.

Root access breaks the Android security model and hence should only be used with care. There are good reasons for wanting root access, but in general the current Android security model is not designed to allow this type of freedom to users and/or applications. It is a bit like driving without a security belt or going mountain climbing without a safety line, it gives you more flexibility but is not a very wise thing to do. Secondly, companies like Google and application developers of security sensitive applications (e.g. banking apps) require a non-rooted device.

Summary

The Android security model is designed to separate applications from each other and this is a good thing, specially when running banking apps next to less trustworthy apps on the same device.

The Strategy

In general, it is difficult to balance the needs of the average user who benefits from Android’s built-in security mechanisms and the user who wants more freedom. Companies like Google and application developers expect their code to run on a trustworthy device and will only provide their services on such devices.

Fairphone has made the conscious choice not to offer an option to root the device on its Google-services enabled software.

That being said, we are working on a user-installable Google-free version of Android called Fairphone Open Source OS where we give more freedom to users. For this version we will make it easier for users to enable root access and install applications like SuperUser but will not include Google services. We welcome discussion on how to best offer SuperUser access in the open source version available at http://code.fairphone.com/projects/fp-osos/index.html.

We are working to have this open source user-installable version ready soon, but we are not announcing a timeline for launch yet.

anon90052001:

Hi everybody,

I want to weigh in here on an issue that is clearly very important to all of you writing here. The Fairphone team hears you!

I admit our communication about what we’re offering in terms of root and a non-Google services phone has not been very clear, so I want to take the time to reiterate what we’re offering, when, and why.

We’re offering:

Android 5.1 Lollipop with Google services, no root access
Open source version with no Google services, root access

When and why:

Android 5.1 Lollipop with Google services, no root access

This version is shipped to Fairphone 2 owners ready out-of-the-box. We cannot offer a version with Google services and root enabled. To get approval to ship a phone with Google services, a phone must pass compatibility tests and one requirement is that they are not shipped with root access.

But still, we want to follow our goals of ownership, longevity and transparency, so we are currently working on a version that is Google-free and rooted via our development site code.fairphone.com.

2 . Open source version with no Google services, root access

The software team is working on this version, but there is no timeline to announce yet. There are still a few open questions about the open source version that we are working to answer, eg:

How the open source, rootable version will be downloaded and installed by the user (documentation)
When this open source version will be available
How updates will work with the open source version, and how frequently they will happen in relation to the updates to the Google-services version of Fairphone 2 OS

In addition to this work that the internal Fairphone team is working on, developers can use the sources on code.fairphone.com to compile and root the Fairphoen 2 themselves. We welcome this discussion and development on the forum.

I understand we have disappointed a vocal group of people here in this thread. I hope now we have provided more clarity on the software offering, and each person should decide for him/herself if this is up to your standards. If you’re not satisfied with what we can offer at this point, then you are completely entitled to a full refund within 14 days of receiving your phone. We’d be sorry to see you return your phone (and hope you will stay active in our community). But we want to make sure your expectations of the product are reached, so if you would like a refund please contact our support team.

I apologize again on behalf of the Fairphone team that these software issues were not more clear prior to you buying or receiving your Fairphone 2. I hope we can keep the forum and this discussion positive going forwardand constructive. I really appreciate the time you all put in to contributing to the forum and keeping our community active!

Best,Joe

vivia · January 7, 2016, 4:35pm

Thanks for your announcement. I’m happy to see Fairphone feeling committed to giving users the option to open up their software as well as hardware. Several people have committed to Fairphone because they feel it gives them the freedom to open it up, and denying that freedom in the software side caused quite some uproar.

About enabling root access, the installer already has an “advanced mode”. From in there, I think the option to download a rooted (or rootable) image could be given. Maybe with enough confirmation popups - “are you sure?” “are you REALLY sure?” “did you ask your mother?”, so the user can’t click on it accidentally. After downloading that image, maybe enabling root access could be done with a switch somewhere in the settings. Or what do you mean “discussion on how to best offer SuperUser access”?

georgmayer · January 7, 2016, 4:42pm

Hi,

thanks for the clarification.

Ok, I understand that you made the decision, I also see that there are reasons why it was taken, though I personally see other reasons with at least similar importance, which would point towards a rooted FP2. Let’s not start the discussion again.

But for the future I hope we can have a more open discussion on the rooting issue amongst the people who back the project. Or, much better, an option at first phone boot (not sure if that is technically possible, but I guess software makes many things possible), where the user can decide which way to go.

I will for sure not put a new image on the phone for the time being, that is just too much configuration work after I set up the FP2 finally. All I wanted was the normal FP Onion 1.0 to allow me root access.

Next thing to do: open a Onion wish-list thread where we can write down all the things we would like from the non-rooted (secure) version of FP which we could have gained from apps that are rooted. If e.g. Titanium backup does not work with the delivered OS, then we should get something of the same functionality working without having root.

Cheers,
Georg

lklaus · January 7, 2016, 4:43pm

Hi
I do understand the motives and I think it’s the correct decision that the standard model is not rooted, because, as you said, it’s not for the average user. Still, I don’t think people will like it that they have to use the open version of the OS, because that implies they will have to stay up to date themselves, instead of getting the information from the updater. This will lead to fp2s with historic software versions, and I do not know whether that will be in your interest?

evidemment · January 7, 2016, 5:09pm

I’m sorry have I understood correctly: either root but no Google or Google but no root?

If this is it, it sucks… and I deeply regret my purchase because I thought it would be everything FP1 was and more… now I get less (of what I need)

root · January 7, 2016, 5:15pm

You should be able to install GAPPS via OpenGAPPS once the recovery allows Installation of ZIPs.

@all: Having said this FP support to have a TWRP binary for the FP2 would be an easy way to allow people to root their devices by themselves.

On the other hand - I find the root switch in CyanogenMod’s developer settings quite comfortable. Not sure if switching root to off really fully restores Androids security model.

jaymanu · January 7, 2016, 5:25pm

I totally understand why the FP2 won’t be rooted out of the box. This post makes a lot of sense.

BUT, i’m shocked to learn that there won’t be an option to let the informed user decide if he wants to do it. I thought that was the meaning of ‘yours to open’.

On the FP presentation in Paris, I was told by the representative that it won’t be rooted out-of-the-box but that the official procedure to do it will be communicated.

I’m using MIUI on my current phone right now, with gapps, and it allows users to activate root access in a “permissions” menu, after many confirmations and disclaimers. That’s what I was naturally (naively ?) expecting from the FP.

If I have to unofficially hack my phone, then I’m left feeling that I bought another HTC or Samsung phone.

Arvil · January 7, 2016, 5:34pm

I’ll have to disagree with that. Driving without a security belt is a lack of safety measures, while rooting your phone carves a little access to your phone’s internals that is guarded by the companion app.
If you want to maintain the comparison, preventing the user from rooting his phone is like removing the ability to unbuckle your seatbelt and forcing you to take your driver seat everywhere behind you because “if you can remove the seatbelt it is dangerous to drive !”. It’s like preventing you from opening your car’s motor compartment because “you might do something dangerous and insurance companies would like you not to be able to !”.

Basically, it’s considering the user is a dumb fuck. Which is kind of right most of the time, when you think about it With that said, I’d just like the ability to root my device easily, please.

EDIT : Could you provide a free and open-source root management app please, for example SuperUser instead of/in addition to proprietary ones such as SuperSU ? I’d rather trust a machine I can open and inspect.

EDIT 2 :

I believe it is entirely possible to provide OTA updates for AOSP versions of the OS. I am not sure I understand what you are implying, sorry

vivia · January 7, 2016, 5:37pm

@Arvil Very well said. Thank you.

@keesj: There are several valid use case scenarios for rooting your phone, as well as for opening your car’s motor compartment, but I can’t see any for driving without a seatbelt. That’s the big difference.

paulakreuzer · January 7, 2016, 6:17pm

Oh I love metaphors.

> Locking a bootloader is similar to locking your house. Once it’s locked > you can’t get into it without a key. It keeps bad guys from just walking > in and taking all your stuff. Unfortunately, the OEMs don’t give you > that key

source: pocketnow

evidemment · January 7, 2016, 6:28pm

Ok maybe I am just a stupid user but I still want a rooted phone to be able to use some of my favorite apks and still use Gapps because I need them for my work… I am not a programmer and won’t do much more on my phone but I did manage to root my phones and still use Gapps.

If there is a choice to make I will be very disappointed as I never imagined the fairphone without root (ok I missed the info it’s my fault) but for me it’s turning back not going forward.

I hate that I can’t use my favorite apks and that I have to suffer all the advertizing and that I can’t save my data. I hate that I still have data waiting for me on my sdcard and I can’t use them on my new phone.

I made the transition from a rooted samsung S3 to a rooted FP1 just to go back where I started…

I do support the fairphone and I’ll continue to use it but I feel very disappointed…

georgmayer · January 7, 2016, 6:30pm

Hello,

I’m still quite surprised about all this. First I was disappointed that the FP2 did not come rooted (as the FP1 did), but now it even cannot be rooted easily. I don’t know how much time I invested the last year to get at least a bit more control over my data - I don’t think I’m radical or fanatic about this and I accept to live with Google as long as they only get 4 bits out of every Byte I send (they anyhow KI-guesswork the missing bits together and reconstruct me virtually from my metadata). After all what was publicly discussed about privacy and security I cannot believe that the Fairphone does not offer the concerned users a easy way to control their data in the way they want, without using 15 tools, compiler and so on.

What I want to say is: this decision is a bit more than just about security within the android system - it also gives an indication on who should own phone and data. And for a product named “fair” I feel the decision is pointing into the wrong direction. It basically says that you guys believe that most of the FP users are not fit to act responsibly (or not intelligent enough to control their data) and therefore are better forced to use the normal environment, which is far from ideal.

I don’t blame you. In no way I want to insult you or harshly criticize you, don’t get me wrong please. But I think it is good to look at this issue from different perspectives. I also don’t ask you to make the FP rooted right from the start (though I would support that), but to allow it to be rooted and to support those users, who want to root.

In summary I think you took a very technically driven decision for an issue which has certain social and also moral/ethic impacts.

Maybe there is a way (if more users support this) to rediscuss this decision. Not only because of making my life easier, but in order to give a clear statement that the FP2 enables the user to get full control.

Thanks for your patience and cheers,
Georg

Edit/PS:
I guess what I want to say is: “make it easily rootable and advertise that” – it’s a feature, not a bug, it helps people doing good and reasonable things.

lklaus · January 7, 2016, 6:30pm

Hi,
you understood me correctly. It would surely be possible, but I don’t know (and, honestly, don’t imagine) FP will do this, as up to now it’s always “you can compile it yourself”… So it’s everybody’s responsability to stay up to date and regularly type repo sync and see what’s changed…

EricS · January 7, 2016, 6:38pm

@keesj, as already said by @Arvil, there are good reasons to open the phone further by rooting. E.g. ensuring that your privacy is protected by selectively disabling app permissions (it’s all or nothing in A5.1), installing Titanium Backup, …

I’m not sure how I like this message. On the one hand, it means I will switch back to my old phone until fp-osos is ready to be installed. Just when I was ready to really port everything to the FP2.

Secondly, I have seen several times already that you really need a decent sized community to be able to maintain such a fork. This is one of the reasons, IMHO, that OpenMoko failed: the software was not good enough and even after one year, it didn’t improve a lot. Splitting up the efforts of the FP team is a risky path.

If the this is pulled off correctly however, it would be an even better option than installing Cyanogenmod.

However, I have several questions

will the full hardware be enabled on fp-osos ? It would be really disappointing to find out that, e.g., GPS is not fully working due to binary blobs that can’t be included.
what about updates ? Will an update be available at the same time (or before because of less components to test) than the closed fairphone OS ?
will the model be the same as between, e.g., Fedora and RHEL where the first is a test bed for features to later include in the latter ?

mgkoeln · January 7, 2016, 6:51pm

I’m really, really, disappointed!

I love my GoogleApps - but I also love that FP1 came rooted, so I could also use Apps like Gravity Box (and get rid of the ugly “empty SIM slot” symbol) or Titanium Backup. I was totally planning to use the latter to transfer data from FP1 to FP2. Data which is very important to me but will now be stuck on FP1. I used those “root apps” without being a total tech nerd and I never had any security issues.

I knew that FP2 would come unrooted. But I trusted your word that it could be rooted easily (which having to install a different OS for me isn’t) and I totally expected the same usability as FP1 afterwards - with Google AND root access. So, reading now that this won’t be the case really comes as a shock!

Mikaciu · January 7, 2016, 6:55pm

And that’s where it hurts. In my day job, I’m a developer, but I clearly don’t want to work 2 hours every 2 weeks to patch up every vulnerability found. That’s where the “updater” button comes into play.

I neither have a building environment at home, nor the time required to build and maintain a build I could install for my phone (with the drawbacks it includes : non-working components, risk to brick the phone, …), nor the wish to do it. On my Xperia V, it took me several minutes to root the phone (flashtool), and one hour or so to install the CyanogenMod build I’m running. That’s KiSS philosophy (Keep it Simple, Solo).

I have understood that a fp-osos build should be available, so I shall sadly wait until it’s the case to be able to enjoy my Fairphone, although, like @mgkoeln, I think that installing a whole OS to be able to have root access is a little bit overkill.

Oh, and @georgmayer :

You’re my hero. On my side, I only use Google Play and Talkback. The rest is useless to me (and that’s where http://opengapps.org/ should come in handy).

I hope a solution can be found to this seemingly inextricable problem.

evidemment · January 7, 2016, 7:26pm

So further more, if I understand correctly if we flash the alternative OS no more support? no more updates?

1tft · January 7, 2016, 7:29pm

Community waits over 6 months to get the FP2 hardware.
Now community has to wait an indefinite time to use the software it likes on FP2!

For FP team ist more important that special banking apps are running (where everybody can use the banking website) but realy great software like fqrouter2 could not run on FP2.
SuperSU can ask me everytime for granting root privilegs for a certain software. When I trust this software (e.g. I coded it or it’s open source), there ist no security problem. It’s like “sudo” on linux.

Why has FP not asked the community regarding root? You make us very frustrated. It’s a very bad new years surprise!!

EricS · January 7, 2016, 7:29pm

I think I’m especially disappointed that this decision is now imposed on us without having previous consultation with the community.

I can understand and live with the fact that it doesn’t come pre-rooted. But making it such a big hurdle and with so many question marks around support from Fairphone, support of the hardware, support in updates, speed of updates, … is disappointing.

Why not supply a signed package by FP of su on a special download site so that people who want too can use it to root the phone ?

It was very easy for me to root my Samsung XCover, a company owned, locked phone. It seems it will be a lot more difficult to do this with FP2, a ‘fair’ phone. It don’t think that’s ‘fair’ for the community.

It really seems perpendicular to the logo of Fairphone: “Yours to open, yours to keep.”.

(emphasis mine)

This is spot-on.

Now I wonder if Fairphone will do that ?

fp1_wo_sw_updates · January 7, 2016, 7:29pm

I think the problem is not that big. Just for the record I also dislike the metaphors choosen by @keesj, but I understand his point, also he does not have a lot of choice.

But with the source code and bin blobs released, the FP project will be able to build both versions automatically without a lot of extra work (I think).

 AOSP image      =  AOSP +  FairphoneLauncher3 + bin blobs + /system/xbin/su
 Fairphone image =  AOSP +  FairphoneLauncher3 + bin blobs + google apps

Will this be possible? Or are there restrictions? Users will not be able to share this, based on the bin blob “Special License Agreement” and also a “trusted” source would be useful.

I’m not sure if a version without bin blobs will work correctly, there are a lot proprietary files (camera, audio, gps, gfx) in the 193 Mb file. That would be interesting to know. I don’t think so. But it’s hard to find an up-to-date SoC without any bin blobs these days. So you will need a AOSP image with bin blobs anyway.

$ sh fp2-sibon-2.0.0-blobs.sh  --list | grep -i "\.so" | wc -l
473

$ sh fp2-sibon-2.0.0-blobs.sh  --list | grep -i "\.dat" | wc -l
66