FP Security Updates need to be more frequent

my wife has a samsung s21
it get updated each 6 month :expressionless:
Fairphone is still better than them, but still a far cry from google pixels so there is still a long way to go

1 Like

Samsung S21 getting biannual updates doesn’t seem to match up with what their website says

https://security.samsungmobile.com/workScope.smsb

It would also surprise me seeing as they are offering 5 years of updates and the phone is roughly 3.5 years old.

I am not exactly sure what you consider nonsense :slight_smile:

Maybe my previous post was not clear, so I will add some more information to make it clearer.

The “patches” I was referring to are not only limited to the Android framework scope (to simplify, the Android system), but also kernel changes and the most tricky components, the third-party software, which mostly comes from our chipset manufacturer.

As per internal decision, we ship always the “5th of month” SPL, which means we have to patch at least all CVEs listed on the 5th of the month section of the bulletin (which includes, indeed, kernel and third-party software).
Most other manufacturers release instead the “1st of the month” SPL, which makes the integration process quicker but also less complete.
The difference seems to be small, but it isn’t: in practice, the most sensitive and tricky to integrate security patches are the third-party software modules, as they frequently come as closed-source or binaries and might cause critical system instability or basic features malfunction, due to their low-level execution.

Some “non-official” (forgive me for the word, it is not the most correct in this context) Android-based OSes are indeed very quick in integrating security patches, but that is possible due to the fact they do not need to submit their software for official approval by Google, as all GMS-compliant builds must do before they release to the public.
Furthermore, with all respect to the great work GrapheneOS is doing on security (which is truly remarkable, not being sarcastic here), they do not need and they cannot integrate third-party security patches as the SOC manufacturer does not give public access to their components repositories.
That step, as said before, is one of the most time and resource consuming as it is one of the most prone to critical errors that are also more difficult to debug and fix.

Last remark: the date on the patch commit into the AOSP tree does not necessarily match with the date of its public release :wink:

Are the above excuses? NO.
Does it mean Fairphone cannot improve its software security release process? NO.

We are aware we are not the best performer in the industry when it comes to security patches release rapidness and we want to improve on this aspect, as well as other aspects connected to software and information security.
In fact, we are already evaluating all the possibilities to speed-up the integration and release process and we are learning from our current processes in trying to reduce overheads and parallelize tasks as much as possible.

37 Likes

Actually I would say: Fairphone already improved and there is much more continuity, no interruption when working on Upgardes etc.

At the end it will never be enough, thats how the society behaves nowadays. 1,2,3 to read the next thanks, but…

5 Likes

Thanks a lot for making your work and efforts transparent. I guess this will definitely help all here to understand better, what actually is done in the security patch process.

I am sill convinced that an improvement is necessary but with your post you also made this whole thing a bit more comprehensible. Thanks for that! :pray:

9 Likes

We are on the same page then, I am also convinced an improvement is necessary, and so is the entire team :wink:

Making it possible though is another story, but I promise we are working on it :slight_smile:

22 Likes

Excellent news. So this (currently) 386-posts long thread wasn’t for nothing…

There is a caveat though: Words are cheap, and “evaluating” doesn’t imply any commitment. By now I have heard a lot of promises from Fairphone, and while there have been some good surprises indeed, in my experience Fairphone tends to rarely live up to its promises. :face_with_raised_eyebrow:

So I’m waiting to see what will really happen…

5 Likes

latest android security bulletin. October, 2024.
https://source.android.com/docs/security/bulletin/2024-10-01

2 Likes

If we are lucky we’ll get that for Christmas… :roll_eyes:

Interesting is that your linked bulletin confirms the standard time table of patch releases:

Android partners are notified of all issues at least a month before publication. Source code patches for these issues have been released to the Android Open Source Project (AOSP) repository and linked from this bulletin. This bulletin also includes links to patches outside of AOSP.

Emphasis mine. Of course that is for the pure Android vulnerabilities which make the vast majority of issues, vulnerabilities in proprietary drivers are handled differently. But one sees that in the vast majority of cases the “last minute” argument doesn’t really stand. :man_shrugging:

5 Likes

This reads as if the patches have been released along with this bulletin, so as of today FP can start the patching and cert process.

Indeed, but I think it’s a little more convoluted than just downloading, branding and sending to the different telephone service providers.
Else there would be no reason for people not to download the patches directly from Google (or AOSP). :thinking:

Chances are those patches “released” are just example code, i.e. telling that you which specific part(s) and in which specific way you need to change, and each phone builder has to port this to his own personal flavor of Android.

The problem is, all Windows™ PCs run the exact same “Microsoft Windows” OS (+ some drivers), and so they all can get security patches from Microsoft.
But Android phones don’t run all the same OS, they run each a more or less heavily branded and tweaked mod of some form of Android (Google, AOSP, other), which results in this ridiculous situation. :frowning_face:

Back to Fairphone, I think the above means that as of today (October 9th) Fairphone could be working on adapting the November patches.
If they had the (personal, financial) resources and the will to do it… Apparently they have not, so they have decided to start spacing out the patches for the “old” phones… Officially once every 2 months for now, but there is absolutely no reason this wouldn’t increase in the future: After all, “money not spent is money earned”. :frowning_face:

4 Likes

flagship (or any) product with not even monthly and immediate security fixage? bad idea

Hackers targeted Android users by exploiting zero-day bug in Qualcomm chips | TechCrunch

1 Like

Nowadays. There was a time not that long ago when flagships of big companies only got one or two updates in their whole commercial lifetime (OS updates).

Now one has to keep in mind that separate Android security patches are a relatively recent invention (IIRC starting with Android 5, about 10 years ago).
Before that there were few security updates, and they were integrated into the general OS updates, so you got Android version 4.4.1, then 4.4.2, then 4.4.3, and each update potentially also contained security updates–much like Fairphone still does.

My point is, some people didn’t yet adapt to the recent 3-part Android update scheme (OS/security/Play), they still cling to the monolithic single update scheme of Androids <5… Hey, it’s only been 10 years, give them some time to adapt… :smiling_imp:

2 Likes