Well, that’s a bit cheap. Android is an open-source project. Google is in no way required to publish any fixes.
Backporting them to versions as old as KitKat is pure generosity. Vendors could backport those fixes themselves if they really cared.
1 Like
That’s not cheap because AOSP sure is open source, but it is in no way free/libre. If Google wouldn’t be so prohibitive, vendors or independent developers could more easily push security fixes upstream.
1 Like
Vendors could do that. However, this
- is not always trivial, because code bases differ dramatically and
- is not enough since the code differs dramatically and issues that only exist in JellyBean are not fixed at all.
4 Likes
But we got the Kola Nut update in Augustus 2015. I was hoping they would be able to gather any fixes made by communities in the 4.2.2 AOSP and merge them with FairPhoneOS or even backport fixes released for Kitkat to 4.2.2, but I see that’s not that easy.
My FP1 is still my personal phone but I had to move to another phone for work as some special apps was needed and demanded newer OS and more computing power. Well I knew the day would come. As I said, for personal use, I use FP1 but its becoming more and more unreliable. The phone wakes up very slowly, like its has something going on. I think its the newer apps that hogging it. Have not tried to rest it, no time. Facebook often crashes the whole phone so it has to reboot. Other apps, dear to me, don’t work properly any more. Its sad. I would love if this update saw the light. Maybe we can vote on what features that are to be prioritized? Is there a problem for the community to help out programming?
See
Is there a problem for the community to help out programming?
Yes, the drivers are still closed source so Fairphone is not allowed to publish them.
1 Like
You can replace the Facebook application by SlimSocial for example. It’s just a wrapper of the web version of Facebook.
That what I do for my FP1, I gain a lot of battery and memory.
2 Likes
Hey there!
What is actually happening to the long promised update to Andriod 4.4 for the FP1? Is it not working or what is the problem? It would be very nice to get some updates from Fair phone about that topic!
Thanks.
2 Likes
I’m waiting for kit-kat update. My FP1 first edition have 4.2.2 android and I’m not able to use app for home banking and my insurance, for his low security. Please! My smartphone works good, I don’t want change it.
1 Like
There are now a number of things that don’t work on my wife’s FP1 including being able to buy train and bus tickets because it is so long since the last update. Can anyone say for sure that this update will happen or is it time to give up waiting and (reluctantly) get a new phone?
1 Like
FP1 Kit Kat Update: 29 March 2017
New update added to the first post.
10 Likes
Indeed, the most depressing aspect of the fairphone saga so far is their overall failure to deliver on the longevity promise. The lack of firmware updates isn’t even the worst part of it. The biggest problem for many is the almost complete unavailability of spareparts for the fairphone 1 and now, I have observed that even for the Fairphone 2 you should not take for granted that you are able to order a new display if you need one. The last I heard of someone who had ordered a new display was that sales informed him they might be able to ship it after 2 month. The lesson I take away from this is that my next “new” phone is going to be a used Samsung device, because I know that spareparts and custom ROMs will be available for a long time to come.
1 Like
Looking forward to its release!
[…] we can free up some of our limited time and resources to focus on other projects… like working on software updates for the Fairphone 1. We can’t yet give you a timeline for when Android 4.4.4 will be available, but we want you to know that we’re still pursuing it.
1 Like
I’m also eagerly awaiting this update… But just to be clear about the current safety of the phone: apps that still update on this android version (e.g. Chrome, Twitter, Whatsapp) are still safe to use, right?
2 Likes
No, not really.
The apps use and rely on system components which currently aren’t up-to-date.
Eg. most apps use the system’s certificate storage. There are many certificates missing or outdated. Your HTTPS/TLS connections might not be as secure as they could be.
Other apps such as Firefox don’t rely on system components for handling your data.
2 Likes
Do those app really rely on system components? I don’t think that Google 2017 (latest Chrome) trusts Google 2013 (Jelly Bean). 
Whatsapp claims to be end-to-end encrypted, which means it does not depend on https.
Other apps, that rely on Webview (e.g. the preinstalled Browser) are insecure and should not be used. See our forum entry: #securitytips
PS: In case anybody is wondering: You can use tags and link to categories, by simply typing “#”, then start to type a word and finally select the category or tag from the list. 
4 Likes
Webview is insecure, of course.
But the system’s TLS stack is not the best, too.
( https://www.ssllabs.com/ssltest/viewMyClient.html )
You could compare this between Chrome and the Android browser. (Firefox uses its own TLS stack.)
End-to-end encrypted app shouldn’t be impacted unless there are major flaws in the used libraries.
1 Like
Beginning with Android 5.0, Webview is updated via the Play Store. (I think that was introduced because device manufacturers are notoriously slow and lazy with updates, insecure Webview versions are a big security hole.) That means this is not the case for the Fairphone 1, here the device manufacturer is responsible for Webview updates.
[quote=“Stefan, post:114, topic:23037, full:true”]
Do those app really rely on system components? I don’t think that Google 2017 (latest Chrome) trusts Google 2013 (Jelly Bean). ;)[/quote]
According to https://www.chromium.org/Home/chromium-security/root-ca-policy, Chrome uses the system’s certificate store to check whether a root certificate is valid, but maintains a list of no longer trusted root certificates in the browser itself. That works well for the browser, but other apps will still make use of the system’s certificate store. On phones of 2011 and earlier (very old, I know, but the only example I can think of right now) this certificate store could for instance still contain the compromised Diginotar root CA.
2 Likes
Yup, Webview. My bank’s online banking app is basically just a wrapper for a specially crafted mobile webpage on their servers. Since it’s hardly 500kB, I don’t think they have implemented their own rendering engine - I’m 99% positive that it uses the system’s Webview component.
This is why I’m not using that app - who knows if there is some old Diginotar-crafted SSL certificate floating around that validates the bank’s webserver domain for that app’s functions, and phishes my login data?
Of course, things like these can’t be entirely prevented, but with year-long known security issues still not fixed on our FP1s… And the problem is: Many users may not even know about this. What I get from many not-so-tech-savvy users is that they know: “Well, I should do those OTA system updates some time when the phone presents them to me”, but that’s it. They don’t know that an outdated OS implies more and more risk of becoming victim of attacks - it’s “I only use a few trustworthy [in terms of ‘no fuckups known so far’] apps and the integrated browser”, and that’s perfectly okay. That should be a safe way to use your phone. But with an outdated OS, it isn’t. Outdated Webview alone is a vector for so many possible drive-by attacks…