Has anybody received the latest security update yet?

These implications might be “nasty” from a hacker’s perspective. For the vast majority of average users this simply means smaller downloads and faster updates.

Fairphone should of course provide a recovery image which can be used via sideload. And I guess they will do that sooner or later.

3 Likes

Also for “normal” people who miss updates and can’t get to intermediate updates any longer, as you need to apply those differential updates one after another.

1 Like

I’ve got one Fairphone 3 user who reports that he only received the 26 December update today. He had kept reporting checking for it repeatedly before.

Anyone else with such a long wait? Any ideas what could explain such a long delay? It seems unlikely to me that the update was supposed to be spread over such a period.

I got the December Update (Version 5th December 2019) only today (8th January 2020).
I checked several times in the time between for updates, but only today i got it.
Before December Update I had the October 2019 Version.

2 Likes

As far as I know, this is normal.
The Android OTA algorithm includes a lottery based on a unique identifier. When a phone checks the server for the first time if an update is available, the server will remember the unique identifier and assign a random number. this random number will not change - no matter how more often you click on “check updates” - and based on the random number the server decides WHEN you get your update.
a small number of users will get it right away. (tens of devices)
a bigger number of users will get it after a week (hundreds of devices)
there might be a third and even a fourth stage - upscaling to half the users and all the users - if you are in the second half, you might have to wait over a month extra, and theres almost nothing you can do about it :frowning:
(some forums suggested wiping the data of the updater service, thus causing a new unique ID to be assigned, which might or might not run the lottery again)
I don’t have the link where I read about this, but google should find it.

the reason for that is to catch catastrophic updates before they affect too many users. sometimes updates have bugs that don’t show up during internal testing because they only affect people in certain regions or certain situations. Assume the phone would crash and never ever boot again when you took a phone call from a chinese number between midnight and 1 am - or something like that. that wouldn’t show up in testing, but you might get a few error reports from affected users and could stop the update from going out to the rest of them.

8 Likes

Also a full update would be interesting to me. I have uninstalled Google Services Framework and thus my FP3 lost its update ability (the menu simply vanished).

Android is so fundamentally broken if you cannot even receive a zip without a Google proprietary framework…

6 Likes

Absolutely, we DO need complete a complete update image.

Edit: One issue with an update image is, they would have to update it every time they release any patch or new version. Phones that comply with googles’ “Android Verified Boot” do not allow downgrades of the system, only upgrades. If you install any update, going back to the old version is impossible once the new version booted once, as the bootloader will remember that. So even with a full image available, you could only install it, if its the same or a newer version than what you have on the phone, not an older one. https://android.googlesource.com/platform/external/avb/+/master/README.md
Booting an older version is only possible if the phone/bootloader has been unlocked.

That being said, I think your problem can be fixed using adb, as the app is still in /system, just “not installed for user 0”. Try

adb shell pm install --user 0 /system/priv-app/GoogleServicesFramework/GoogleServicesFramework.apk

this should work for any apps that have been removed using

adb shell pm uninstall --user 0

as suggested in

4 Likes

Excuse me? You’ve been tampering with your phone’s operating system at your own risk. So don’t blame Google now.

I think he has valid critique.

Android is an open source system with proprietary extensions.

The latter is OK, because it’s Google’s business model, and people are free to build a phone or phone ROM without it. (LineageOS for example)

Or people are forced to do it without it because of political reasons, for example because a US embargo forbids Google to do business with you.

Some people might simply opt to want a phone without Google - for whatever reason (trust, privacy, political, …), and (since so far no alternate ROM is available) uninstalling or disabling the proprietary apps from Android is the only option.

The issue is, the update mechanism Fairphone uses to update Fairphone 3 only works with this proprietary google extension, which is installed in a privileged way.

That being said, how privileged are google play services (formerly known as google service framework) actually? Could a user install an open source app and use that to trigger updates (providing the update URL manually) the same way he/she could use adb to sideload the update from the recovery system?
I think that should be possible, after all the google play services don’t run as root, but should be using an android API call which needs enhanced (device administrator) privileges that the app can be given by the user.
worth looking into.

Edit: This is what LineageOS uses: https://github.com/LineageOS/android_packages_apps_Updater

Edit again: You don’t need proprietary stuff to install updates. The capability is exposed through
https://developer.android.com/reference/android/os/RecoverySystem
and
and android.os.UpdateEngine

there is an underlying daemon process running with root privileges, but that is open source:
https://android.googlesource.com/platform/system/update_engine/

So, long story short, you don’t really need Google Play Services, you could write your own app to do it. (Edit: But because Fairphone uses Google Services to announce updates, this would possibly require significant amounts of reverse engineering, see https://habr.com/en/post/446790/
)

Another issue is that Fairphone utilizes google cloud to provide information which updates are available to phones and lets them download it. But while that is using google services server side, they can be queried from third party apps as well.

4 Likes

Normally you can flash your firmware to an original state. Not with incremental updates. What if firmware becomes corrupted. Tough luck? I don’t think so.

OK, so I’ve discovered what happened with my lack of updates.
My problem was that I hadn’t received any update since I’d got the phone at the end of october. The security patch was September 5th.
I got a very weird answer from support saying that, as my mobile operator was Orange (France), I had to get in touch with them for the updates, even though I bought my FP3 directly from Fairphone and not through Orange. I answered saying I strongly disagreed with that, but it gave me an idea : I switched my mobile data to my work SIM which is an other operator (SFR), and I immediately had updates available, 3 to be precise : one for September, one for October and one for December. I was in fact 3 updates late.
My conclusion is that the partnership between Orange and Fairphone had led to a technical misinterpretation in considering that all FP3s with an Orange SIM were purchased through Orange and also had to receive updates through them. The problem is that FP3s like mine which were purchased directly on the FP3 website are not configured for the Orange updates and are probably refused access to the “normal” FP3 updates, or something like it.
So I would advise anybody who hasn’t received the October update to try with another SIM (or perhaps no SIM at all?).

11 Likes

Interesting. Did you communicate this theory back to support?

1 Like

Yes, but no reply yet…
I also told them that in any case I didn’t want Orange’s updates because I’m not interested in their bloatware.

4 Likes

Really makes me wonder what happens with no SIM in the phone :slight_smile: My updates are up to date, so I can’t tell right now, have to wait for the next one.

1 Like

A partnership that cripples the phones ability to receive regular updates? This whole branding sh*t should belong to the past. Apple has proven for 12 yrs now that the OEM does not have to accept operator bloatware on its devices. Unfortunately, not every manufacturer is in such a privileged situation that every carrier wants to sell its phones …

actually, - based on how I understand the code of the AOSP Settings software:


( look for CARRIER_CONFIG_SERVICE ) Android includes an ability of the carrier of the cellphone network it is connected to to override the phone manufacturers update path (which uses google’s checkin-service through the google play services to search for updates)

this means, - short of dumping google altogether and hosting their own OTA infrastructure, Fairphone has no way to prevent that. Any carrier can tell any phone to retrieve updates from an alternate URL as soon as you have their SIM in your android phone by pushing a GSM config packet over the network to your phone. normally that only sets APNs and server URLs for stuff like MMS services, but it can override your updates!

Apparently Orange has chosen to do so with Fairphone, however without actually providing updates.

That being said, to be installed, such an update would still have to be cryptographically signed by Fairphone to be installed, so the impact to do malicious shit is somewhat limited. It just results in you not getting updates if you have their SIM.

3 Likes

@Monica.Ciovica: Can Fairphone please confirm with Orange what the actual update situation is and, if Orange really override the setting, get this sorted out somehow with them?

6 Likes

Thanks!
Perhaps she could also see if the problem is likely to happen with other mobile operators.

At least none of the German carriers–Vodafone, Telekom, MD–is doing any comparable branding. AFAIK they’re all selling the FP3 “as is”.

the nasty thing is, this will happen even to an “as-is” stock Fairphone you bought through the webpage, if you put an Orange-France SIM card in it.

3 Likes