The Fairphone 4 has a Qualcomm chip. That SoC’s security module (TEE?) should be capable of FIPS 140-2. An app I need to use for work complains that my Fairphone is not FIPS 140-2 compliant. The app still works fine. But it’s strange that the #fp4 doesn’t support this standard.
Fairphone support said a few months ago they would come back with an answer about this issue. I bumped the issue in their support system, hopefully they have an answer soon.
Just some info to highlight why this support is important.
FIPS or the Federal Information Processing Standards are public standards built by the US federal government. FIPS standards cover a wide range of requirements across security and interoperability. More specifically, FIPS 140 is focused on specific requirements for cryptography modules. The current version of this standard is FIPS 140-2. You’ll hear people in the security industry refer to FIPS as: FIPS, 140, FIPS 140 and FIPS 140-2. Most of the time these are all in reference to FIPS 140-2. Because many public and private sector organizations require that FIPS-compliant cryptography modules be used, Appdome enables organizations to secure mobile apps so that they use FIPS 140-2 cryptographic modules. This allows organizations to immediately make any mobile application FIPS 140-2 compliant in a manner of minutes – all without any development effort.
Still no answer from FP support. They closed my ticket twice now without any feedback if FIPS 140-2 support is not included or broken.
Why it matters:
FIPS 140-2 is a NIST publication that lists security requirements for cryptographic modules protecting sensitive but unclassified information in computer and telecommunications systems. FIPS stands for “Federal Information Processing Standard,” and 140-2 is the publication number for this particular FIPS. The NIST issued FIPS 140-2 on May 25, 2001, as a successor to FIPS 140-1, which also addresses security requirements for cryptographic modules.
Finally got a reply. Here is the most important bit.
I’m sorry to say that it looks like FIPS 140-2 will not be supported on the Fairphone 4 in the near future. It’s not an intentional limitation. Currently the issue lies in time and resource constraints. Many companies supply their employees with the Fairphone 4 but so far, you are the only person to ask about FIPS 140-2 support, so the priority is low.
I will keep following up about this internally, but I can’t promise anything. Would you like me to keep this ticket open and dedicated only to FIPS 140-2 support?
My reply to support:
I suppose not many companies ask about this is because they are not aware this phone doesn’t support it and the implications. But is it really a business feature? I don’t think so, also many other security features depend on this being appropriate applied. Please correct me if I’m wrong on this.
Is this really something that requires a lot of work? Android has support for it, so if the hardware supports it too, then it shouldn’t be much more work. Not being FIPS-140-2 compliant, wouldn’t that impact the way credentials are stored in the “secure enclave”? Such as your fingerprint data, key material for bank apps, etc.? Are those now stored insecurely?
Isn’t this something you can check witch Qualcomm? Maybe the solution is simple such as just loading a kernel module? Or maybe adding a build flag when compiling Android? I don’t really understand why this requires development from your side. The hardware is from Qualcomm, of which you get the official drivers, the hardware has ARM TrustZone and Android should already have support for FIPS as well.
One support email to Qualcomm might straighten this issue out.
I work in IT and combining multiple issues in one ticket is considered a bad practice. The only reason I can think of to do this is to keep the ticket queue low, but that’s only temporarily. The overview is just gone.
We all run the same phones and software, I recon most issues are similar and I guess it would be easier and better to just link similar issues into one ticket. Rather than grouping multiple similar tickets into one. Then you also have to communicate back to every user when information is requested. Which from my experience differs to each support person already. Keeping the information central may solve issues faster and keeps everyone on the same page.
This is a hardware limitation, which cannot be addressed after the production phase. The FP4 will never be compliant with FIPS 140-2. This does not mean information is stored or processed in an insecure manner.
As you pointed out, the hardware from Qualcomm can meet all the conditions for FIPS 140-2 and it’s already certified. The issue is related to proving this to applications that explicitly require it.
Compliance with FIPS is required in very specific cases, e.g. apps intended for use by government officials (depending on the government). When it comes to the private sector, it’s possible to rely on it, but it’s not mandatory.
This answer wasn’t entirely clear, so I asked.
This is great news, that it doesn’t affect the security. I am somewhat confused why it cannot be enabled anymore.
You point out that it is a hardware limitation, but also that Qualcomm can meet all the conditions and is already certified.
Could you maybe rephrase that in a different way? Because now I read both that the hardware is not capable of doing it, but it is certified to do so.
If this is something that really cannot be addressed anymore, could it be something for the Fairphone 5? It sounds like all the groundwork is covered by Qualcomm already.
Of which the reply was.
The hardware is certified but for applications to recognise this, a certain flag needs to be set. This flag can be set only once and it must happen during manufacturing. That’s why this is not possible for the Fairphone 4.
Now that the team has spent some time looking into this, they’ll consider the pros and cons (costs) of adding it in future devices. Hopefully you’ll be able to use a Fairphone for your work soon!
But the highlight of the story is that there is no security issue. There may be some apps that won’t work due to the certification flag not set. These apps may be rare and probably used in high level security environments.