I am also very disappointed by the fact, that fairphone will not provide any support on upgrading to android 4.4 or 5 for the first fairphone versions.
New security issues are popping up every now and then and it is of highest importance to the users that those bugs are fixed immediately to prevent potential threats.
The maintenance of the existing android versions or the ability to upgrade to safer versions are the key to preserve user’s security and privacy - unfortunately it needs to be done by the manufacturer.
The latest issues by today for android =<4.3 is described here (german): http://www.heise.de/newsticker/meldung/UXSS-Sicherheitsluecke-in-Android-Jetzt-Geraete-testen-2569003.html
I am worried about using the fairphone because of the lack of support from the fairphone team facing the severity on security issues on android which definitely will become a even bigger problem in the future.
Bottom line, fairphone needs to continuously provide security patches as centralized desktop environments like linux, osx or windows.
Android might be not the platform of choice considering the fact, that the manufacturer is responsible for taking measures, which of course will use a lot of resources that were favored to develop new features or new phones.
Please take this post as a food for thoughts and discussions.
That is not entirly true: (see the thread mentioned by @Stefan) Android contains a component called WebView which is used by many apps to display web-content, portions of web-sites and ads. While following the tips from that thread and using Chrome or Firefox for browsing is certainly a good idea, you will still be vunerable to attacks to the WebView (if you use such apps as described above).
The only thing I as a user can do to “protect” myself from third party software that includes, for example, this code to gain full root access to my device, is to stop installing any third party software, including updates to software that is already installed.
In other words: I can stop using my device.
I don’t think responsibility for dealing with such an issue lies with the user. It’s up to the manufacturer to ship software updates that include publicly available fixes for vulnerabilities like the one mentioned above, or e.g. for CVE-2014-3153 (“Towelroot”, also still exploitable with version 1.8).
[quote=“Stefan, post:3, topic:4991”]
Even if the FP team’s ambition is to provide patches at least till the end of 2016, these issues won’t be addressed instantly.[/quote]
Alright, so patches won’t be provided instantly. But will they ever? How do things look with serious security issues. Will the UXSS issue ever fixed for my fairphone?
My bet is that it won’t. Ever. So if you want undisturbed sleep my suggestion is that you
a) stop using the default android browser.
b) avoid apps that make use of android’s WebView function. I have no idea which apps we are dealing with (anyone having a list?). Apparently Facebook is one of them, but you can disable the FB app’s built-in browser and use your chosen third party browser instead.
As pointed out earlier, a) is easy to follow but b) isn’t. How would you be sure (or can find out) that an app is / is not using WebView? I suppose that avoiding such apps might be an option for tech-savvy users but not for just-the-average user with limited tech knowledge.
Indeed, using Firefox is safe. But that doesn’t mean your phone and other apps are. Firefox does not use the WebView component and was never affected. Try to run the test with the default android browser.
I’m blocking the Internet access of the default browser with AFWall+, and I don’t want to unblock it. I believe you that it’s affected. I’m pretty sure, some other apps I use are too… If someone could find a way to disable webview generally…
The default browser is vulnerable according to my check with the linked test page. I immediately switched to Firefox, and see the hoped-for longevity of my FP go down the drain…
Once I cannot rely on security issues be fixed, I eventually have to replace my device. It’s like holes in a barrel: If you don’t fix them properly, you are eventually running out of hands to seal them, and then you run out of beer, and THEN you are in trouble…
If this is the case We will fix it. Webview is a different beast because of the lack of existing patches. At the time of Towelroot we tested the device and found it not vunerable.
Thanks, that’s good to hear. To be honest I only “tested” my phone using this tool, so it may as well be that their detection method for Towelroot is flawed.
Will you also fix the newer CVE-2014-7911?