I am very interested in switching to a fair/sustainable smartphone, but security and privacy is also important to me, which is why I am currently using GrapheneOS with a google pixel device.
However, in order to maintain a reasonable security level, proper software support is needed: fairphone seems to offer several years of support.
So I was very surprised, when I discovered this posting:
@fairphone team: is this statement correct, that proper software/security updates are limited due to insufficient SoC vendor support?
If yes: what is the reason for not choosing/providing/implementing hardware components (secure element, alternate SoC), that allow proper device security and software maintenance/security upgrades for the whole period of time the device is expected to be used?
Regarding the secure element/trust zone functionality, I have discovered this thread:
… according to which the fairphone software/hardware-status remains unclear (at least for me): a titan M does not seem to be implemented, and it is unknown, whether there is an equivalent alternative, that can be used.
Despite Fairphone offers Android upgrades for a long period of time, this does not directly mean, that the kernel / patches / hardware drivers are maintained properly – usually this depends on the SoC vendor, which is responsible for its kernel patches and hardware drivers, which are highly security relevant. So if those vendors continue to not mainline those drivers, it is a lot of dedicated work to maintain legacy and heavily patched kernels. But perhaps fairphone also performs this type of maintenance work?
Regarding the SoC/vendor support: the security support, that is offered by google for their pixel devices, is differing for pixel 5 (3 years) and pixel 6 (5 years):
So there is at least one SoC with 5 years of security support…
Furthermore it seems like the Pixel 6 SoC is based on a Exynos 2100, which is perhaps(?) also available for other smartphone vendors to use in their products:
(please see next post, because “new users are only allowed to put 2 links in their posts” )
So if google offers security support for the Pixel 6 devices, those patches might also work (to a certain/high(?) extend) on an original exynos2100 based product.
This is quite a lot of speculation, but (and if fairphone support does not include kernel maintenance) it seems to me like the only way to realize a android-based smartphone, that is really eligible for long-term use (longer than 2 or 3 years): at least with the notion, that it is not a reasonable option for users to be exposed to (kernel level) security issues, that remain unpatched after vendor SoC support ends (usually after 2 or 3 years).
Please correct me, if I am wrong… Otherwise it could make sense to contact Fairphone with such a suggestion.
The SoC FP4 uses has a TEE (Trusted Execution Environment) which does offer verified boot and other security features. But they don’t seem to support it for 3rd party ROMs. It’s not a Titan M, but it’s equivalent.
But the bottom line is that a FP4 with the stock ROM offers good enough security. I don’t know the real details of what Titan M offers extra. And of course Google releases timely updates for their Pixels. FP lags behind by about a month with the FP4. In a few years it will release updates less frequently, just like some Samsung models.
Security is important. But security comes in many forms. If we don’t change our values and which companies we reward, we will enter an uncertain future where digital security will be a useless luxury. That sounds dramatic, but the trends and science doesn’t lie. We need to change and start supporting a sustainable direction. If that means I get a security update a month later, then that’s a trade off I’m willing to make.