FP Security Updates need to be more frequent

Seems I bought a brick.
Without recent security updates I cannot use it.

https://www.yahoo.com/tech/fairphone-4s-long-delayed-android-112204100.html?guccounter=1

Yes, you can.

Except if you only have a 100% risky behavior.

And you shouldn’t overemphasize it.

As already said, the FP4 is on a bimonthly update route, so the next update will be the November one, not October.

You are citing articles about the next Android version, not security updates.

Yes, you can.
Except if you only have a 100% risky behavior.

Wrong risk assessment!
If a smartphone is used for highly private matters (e.g. approval for payment transactions, health data, communication with doctors, lawyers, private photos…) and this smartphone has a whole series of highly critical security vulnerabilities that are already being exploited in practice, then this cannot be judged critically enough!
The phone can be taken over unnoticed, you can be tapped, data can be derived.

If you know about the importance of privacy and the dangers that arise when it is not given, you cannot speak of overestimation.

As already said, the FP4 is on a bimonthly update route…

Bad enough!

You are citing articles about the next Android version, not security updates.

Yes, because I know that some important security updates are only available for the latest Android version (you know this too?).
So these updates are sometimes denied to the FP4 for years and security vulnerabilities remain open for years!
Your phone can be exploited easily so.

Unfortunately, based on your answers, I have to assume that I can’t expect anything more from Fairphone in terms of security.
I will draw a line here, buy a Pixel 8 and sell the FP4.
Thank you!

That depends on the nature of the security flaw. Just because it is rated as highly critical doesn’t mean it can be exploited remotely for example. If it needs physical access to the device, it’s literally in your hands, whether it affects you.
So what is ‘easily’ in your opinion?

As far as I know important security updates are rolled out for all Android versions still supported.

I know and I fully agree, that security updates are important, but the constant nagging, that Fairphone doesn’t release them as fast as Google itself, doesn’t help anybody, especially as this is only a user forum and complaining only reaches fellow users.

Please understand a substantial amount of fixes are only available via the Pixel Security Bulletin which is only made available for the latest branch of Android. ie.:

  • the latest PSB for A15 is November 2024
  • the latest PSB for A14 is October 2024
  • latest for A13 is September 2023. As in FP4 on stock is missing 14+ months of security fixes.

I explained this here: Pixel vs. Android security bulletin

…doesn’t help anybody, especially as this is only a user forum and complaining only reaches fellow users.

As far as I know, there are also FP support users here in the forum. Anyway.
I think it’s important that security-conscious smartphone users know that there are problems with FP updates and Android version rollout.
So it’s good that you can read about it here and also find it using a search engine.

If you take this that serious, you need to dump about 85% of all smartphones currently used worldwide, if not more.

Yes, you are right. And those phones are not labeled as fair and/or sustainable.

BTW, I guess that this is one of the key misunderstandings at Fairphone, that those two phrases are used synonymously in most cases. So this again is once more an example of a communication that generates expectations that are obviously very hard to fulfill.

If you take this that serious, you need to dump about 85% of all smartphones currently used worldwide, if not more.

That is absolutely right!

Unfortunately, most people don’t care - ignorance, lack of knowledge, stupidity, convenience? I have no idea.

Political pressure should actually ensure that zero day exploits are closed promptly.

However, I suspect that open security vulnerabilities are too important for secret services.

Yeah but expectations are not the fault of FP, those are based on personal behaviour/experience and its always surprising what one understands what fair means in context with Fairphone. It def not means to be especially fair to those requiring 100% secure phones.

Of course expectations are being created in the users minds, but FP’s communication has a significant impact on them, too. And of course the aim to be fair in the supply chain does not necessarily mean to be fair to the last chain link, the customer.
IMO fairness for customers means repairability, long and sufficient support and maintenance. And of course we all mix up fairness and sustainablility far too often.

So why are you bothering about fairness or sustainability, if you have to dump your phone every year and buy a new one? Or even after a month after buying it, because the manufacturer or provider doesn’t deliver a full security package at once?

Your expectations are just to high, again I agree that security updates are necessary and important, but complaining that every phone without the latest major version of Android and the most recent security update is a unbearable security risk is just not true.

Google has aggressively ramped up long term support of Pixels: Google Pixel | endoflife.date

  • Pixel 9 series has full updates (major OS + security updates) until September 2031.
  • Pixel 8 series has full updates (major OS + security updates) until October 2030.
  • Pixel 7 series has full updates until October 2025 and security updates until October 2027.

Re Fairphone:
I really just recommend users of FP4/FP5 switch to CalyxOS and for FP2/FP3 users to switch to my DivestOS.
You won’t get full updates until after Fairphone makes available the vendor junk, but at least you’ll get way more core AOSP patches on a timely schedule.

May I ask why not DivestOS for these devices? Because DivestOS lacks Android 14 resulting in weaker security?

Your expectations are just to high, again I agree that security updates are necessary and important, but complaining that every phone without the latest major version of Android and the most recent security update is a unbearable security risk is just not true.

Even if most people don’t care, it’s still true and dangerous!

The legal regulations are far too weak.
If a car has a safety defect, it must be rectified promptly, otherwise you are not allowed to drive it. If you still drive and get caught, you pay a fine or the insurance company won’t pay if you have an accident.

But if you use a smartphone with security vulnerabilities, everything is fine. Find the fault.

Got my Pixel 8 now.
This is, how it should look like:

Android version
15

Android security update
November 5, 2024

Google Play system update
October 1, 2024

This is my last post here. FP is past for me.

You did already, it’s a phone, not a car. You can’t drive into a group of people with it.
As I said, you are absolutely overemphasizing this. But now you are a happy user of a Pixel with the most recent updates. It’s still not a safe device ;).

Yes it is. Pixel devices are proven to be the most secure phones on the planet. You probably mean that the user can still make mistakes or the existence of 0 days? Of course perfection doesn’t exist.

Perhaps not, but the odds of getting owned by a 3 month old unpatched kernel exploit and getting owned by a 0-day seem kind of different, don’t you think? When Stagefright was revealed, any and all devices were vulnerable from receiving a mere MMS. Easily sendable to massive amounts of people, and hard for most people to avoid.

I’d rather see the next Stagefright be patched in a matter of days or weeks. As it is now, we’d be lucky to have a fix in 3 months.

Vulnerabilities aside, some work profiles stop working when you are x months behind on updates. So people using a FP4 for work regularly get locked out of their work apps. That if anything strikes me as sad.