Fairphone security

Not only environmental but also a smartphone is required for human privacy which I have not seen in fairphone. On the other hand Google Pixel Samsung is offering high quality security. I am hopeful fairphone will bring smartphone with high level of security in future. Otherwise people will leave the fairphone and lean towards other mobiles

1 Like

:open_mouth:
This is a misconception. Just the opposite is the case…
But you’re welcome to install any of the security custom ROMs

2 Likes

Hi and welcome to the forum.
The title is very general and only mentions security for the phone, however given the text, what privacy are you looking for, that the Fairphone could not provide.

I doubt people will leave the Fairphone anyway but even more so based on your assertion that it is not good enough for you, where you explain nothing. :frowning:

1 Like

Custom ROMs are not necessarily more secure. Especially if you have to disable secure boot due to a missing signed boot image. You also have to fully trust these devs. Qualcomm updates are often out of date on old phones as well.

Pixel devices are the most secure Android devices because of the Titan M chip. Also because they get prompt security updates (Pixel 6 seems to have some issues with that, for now) .

Fairphone has the Qualcomm trusted execution environment, which is not bad either. And the updates don’t seem to be that much out of sync with other vendors. Fairphone also tends to support phones longer than Qualcomm does, leaving you without proper security support after a few years. This was also mentioned in the recent panel discussion on YouTube.

However, for some reason FIPS 140-2 is not available on the FP4. Do you have this enabled in your custom ROM?

1 Like

That’s why I wrote:

…any of the security custom ROMs… :wink:

And how many have properly signed ROMs and FIPS support? The only one I know is Graphene (only for Pixels).

Hello, and welcome to the Fairphone community forum.
It is unclear to me what is meant by your statement, but you raise a very important point that we all need to be clear about.

As far as I know, security can only be truly ensured by

  • Running 100% open source software for both the operating system (OS) and applications. This means that everything that the software does or is capable of doing can be checked by the user. If users lack the technical knowledge to do this, they can rely on free unattached communities of people who do.
    Installation of such software must provide the means to verify that the compiled code that is being installed matches the human-readable code that has been verified. Some people go as far as doing their own compilation.
  • Using only trusted platforms for data storage, or avoiding such platforms altogether (such as is the case with Signal v. WhatsApp for example). This is much more difficult to achieve with certainty, but such platforms will typically implement open source software themselves and conduct their business in an open, verifiable and transparent manner. Again, knowledgeable independent communities have a major role to play here.
  • Using verifiably secure channels for communication. This is done through the use of verifiable certificates for encryption and identity verification.

In my opinion it would be mistaken to trust any provider of hardware, software or services, that claims “high quality security” without taking steps to demonstrate that they are implementing the above points.

4 Likes

I’m a huge fan of open-source software, using it basically exclusively as far as that’s possible. There have been numerous occasions where open-source software had security bugs for sometimes 10 years, where even a pull request was still not accepted after all that time and was later exploited in e.g. the Linux kernel and openssl. I also remember something similar with Bash. But like you mention, you indeed depend on the community, which luckily also includes many full time developers from e.g. Google, Red Hat and Intel.

2 Likes

I mean fair phone security is good but if Fairphone uses security like Titan M or Knox then I believe Fairphone will be at the top of human demand.

FP uses the Qualcomm TEE, which is equivalent to Titan M. I don’t know exactly where it would come short. But it basically does the same. I do hope they are able to implemt it a bit better so that it can obtain FIPS-140-2 support :nerd_face:

3 Likes

I’m very much satisfied with my phone, but I’m a bit disappointed that the Fairphone 4 is about 1-2 months behind on security updates. Samsung and Google both launch these updates every month.

I don’t care much about Android 12 not being available. Even if it would be a nice bonus, I would very much prefer monthly updates on a regular basis.

That’s one if the advantages of the big custom ROM players. There often more updated then the originals

Security is a wide field, so just generally accusing of lowered security doesn’t help very much. Others have written about the hardware, so I won’t repeat this.

On the software side - there’s (almost) no mysterious bloatware on the phone and you can disable every (G*)app you don’t need and replace it with anything OS you like. Plus frequent updates - that’s as “secure” as you can get, nowadays. :wink:

1 Like

Developers can improve security then the Fairphone will be a very great smartphone.

Personally, I think the camera performance is the single worst part of the FP4 experience at the moment. If they fix that, and speed up the monthly security updates, the FP4 will be an amazing experience for years to come.

However, I understand it’s not realistic to expect the perfect phone from a company trying to be fair. Google and co have people working slave hours to build their ROMs, and Fairphone (hopefully) doesn’t do that.

1 Like