I’m waiting for kit-kat update. My FP1 first edition have 4.2.2 android and I’m not able to use app for home banking and my insurance, for his low security. Please! My smartphone works good, I don’t want change it.
There are now a number of things that don’t work on my wife’s FP1 including being able to buy train and bus tickets because it is so long since the last update. Can anyone say for sure that this update will happen or is it time to give up waiting and (reluctantly) get a new phone?
FP1 Kit Kat Update: 29 March 2017
New update added to the first post.
Indeed, the most depressing aspect of the fairphone saga so far is their overall failure to deliver on the longevity promise. The lack of firmware updates isn’t even the worst part of it. The biggest problem for many is the almost complete unavailability of spareparts for the fairphone 1 and now, I have observed that even for the Fairphone 2 you should not take for granted that you are able to order a new display if you need one. The last I heard of someone who had ordered a new display was that sales informed him they might be able to ship it after 2 month. The lesson I take away from this is that my next “new” phone is going to be a used Samsung device, because I know that spareparts and custom ROMs will be available for a long time to come.
Looking forward to its release!
[…] we can free up some of our limited time and resources to focus on other projects… like working on software updates for the Fairphone 1. We can’t yet give you a timeline for when Android 4.4.4 will be available, but we want you to know that we’re still pursuing it.
I’m also eagerly awaiting this update… But just to be clear about the current safety of the phone: apps that still update on this android version (e.g. Chrome, Twitter, Whatsapp) are still safe to use, right?
No, not really.
The apps use and rely on system components which currently aren’t up-to-date.
Eg. most apps use the system’s certificate storage. There are many certificates missing or outdated. Your HTTPS/TLS connections might not be as secure as they could be.
Other apps such as Firefox don’t rely on system components for handling your data.
Do those app really rely on system components? I don’t think that Google 2017 (latest Chrome) trusts Google 2013 (Jelly Bean). Whatsapp claims to be end-to-end encrypted, which means it does not depend on https.
Other apps, that rely on Webview (e.g. the preinstalled Browser) are insecure and should not be used. See our forum entry: #securitytips
PS: In case anybody is wondering: You can use tags and link to categories, by simply typing “#”, then start to type a word and finally select the category or tag from the list.
Webview is insecure, of course.
But the system’s TLS stack is not the best, too.
( https://www.ssllabs.com/ssltest/viewMyClient.html )
You could compare this between Chrome and the Android browser. (Firefox uses its own TLS stack.)
End-to-end encrypted app shouldn’t be impacted unless there are major flaws in the used libraries.
Beginning with Android 5.0, Webview is updated via the Play Store. (I think that was introduced because device manufacturers are notoriously slow and lazy with updates, insecure Webview versions are a big security hole.) That means this is not the case for the Fairphone 1, here the device manufacturer is responsible for Webview updates.
[quote=“Stefan, post:114, topic:23037, full:true”]
Do those app really rely on system components? I don’t think that Google 2017 (latest Chrome) trusts Google 2013 (Jelly Bean). ;)[/quote]
According to https://www.chromium.org/Home/chromium-security/root-ca-policy, Chrome uses the system’s certificate store to check whether a root certificate is valid, but maintains a list of no longer trusted root certificates in the browser itself. That works well for the browser, but other apps will still make use of the system’s certificate store. On phones of 2011 and earlier (very old, I know, but the only example I can think of right now) this certificate store could for instance still contain the compromised Diginotar root CA.
Yup, Webview. My bank’s online banking app is basically just a wrapper for a specially crafted mobile webpage on their servers. Since it’s hardly 500kB, I don’t think they have implemented their own rendering engine - I’m 99% positive that it uses the system’s Webview component.
This is why I’m not using that app - who knows if there is some old Diginotar-crafted SSL certificate floating around that validates the bank’s webserver domain for that app’s functions, and phishes my login data?
Of course, things like these can’t be entirely prevented, but with year-long known security issues still not fixed on our FP1s… And the problem is: Many users may not even know about this. What I get from many not-so-tech-savvy users is that they know: “Well, I should do those OTA system updates some time when the phone presents them to me”, but that’s it. They don’t know that an outdated OS implies more and more risk of becoming victim of attacks - it’s “I only use a few trustworthy [in terms of ‘no fuckups known so far’] apps and the integrated browser”, and that’s perfectly okay. That should be a safe way to use your phone. But with an outdated OS, it isn’t. Outdated Webview alone is a vector for so many possible drive-by attacks…
Wow. Didn’t expect news on the FP1 update anymore. Highly frustrating to receive newsletters about FP2 updates meanwhile. I am already looking for a new non-FP phone now, as the FP2 will likely run into the same problems. I’m done with the project, really. I feel very sad about that as I loved and still love the concept. But: I need a working and (more or less) secure phone. Mehhh
Indeed, it’s highly unlikely that FP2 will run into the same problems in the same time frame. Android 6 will come shortly (as the newsletter said) and it will receive security updates as long as Google provides them. What makes FP1 insecure is the lack of security patches because Google stopped releasing them for Jelly Bean. To date there are still security patches being released for KitKat so security patches for Marshmallow should be available for years to come.
I am exactly in the same situation. This is sad but I think that I can understand the reasons behind it. I mean, there is no such thing as a free lunch. And Technical Support of any kind does consume a lot of resources in the tech world. Fairphone is an ambitious project but cannot compete in every aspect.
Have you ever thought of making a special offer targeted for F1 fairphone users?
Nevertheless I feel proud of having supported Fairphone project and I still think Fairphone is an inspiring project. Don’t give up!
My FP1 can no longer support the apps I need. Another update on the update please! Is KitKat coming soon? I’m willing to wait another month or so but otherwise I need to buy a new phone.
You’re loosing customers Fairphone…
Unfortunately the same applies to me. I’ve waited long enough as it is, and more and more apps are not or no longer compatible. The FP1 went to my wife (only for use as phone and some apps like WhatsApp, but no banking or other security risky apps).
And against my own wishes I now have a not-so-fair-but-fully-working phone
A post was merged into an existing topic: Fairphone 1 - Android upgrade
Sorry guys, but I’ve left Fairphone users now… I’m very sad because I used to believe in the spirit of Faiphone. My FP1 running “so-so” under 4.4 (rooted) and no perspective since 4 month (or more ), I don’t believe in Faiphone 1… And I’ve seen that FP2 is under Android 6.0 Oo
Thanks for all these years, and good luck
The comments about the android version for the FP1 I totally agree but what is wrong with android 6.0 for the FP2? If you are concened about the version of android maybe you should think by yourself if the FP philosophy is really applies on you. By design it is never the newest hardware or software (because lack of support of the hardware manufactures).