Official security report from Fairphone? (TLS 1.2)

Hi everyone,

I believe that Fairphone owes at least, everyone that bought a FP1 an explanation in an official blog post of:

A) What the security lacks are of Android 4.2 and FP OS, such as TLS 1.2 on apps etc.?
B) What Fairphone have done and are doing to solve these issues until 2016?

I’m disappointed to say the least, that a new phone I bought in October '13 which in December '13 is unsafe to use.

Fairphone needs to convince us all that we’ve haven’t bought a DumbPhone, and that we their supporters and customers will be treated fairly, if not what’s the point.

Maybe the way out is to take back the phones and change the chipset to an open chipset for a small additional fee. Then Fairphone reputation would be restored to some point.

I hope you’ll find a solution…


While I would like to see a blogpost on the OS, I am surprised that you opened a new topic. There are plenty threads which discuss the matter, and there is even one which discusses an existing CyanogenMod 11 rom for the Fairphone. You could head over there and discuss with people in those threads?

You surely must be joking, Mr. Feynman?

You do realise that you have purchased a highly elaborate pocket computer based on a System-on-a-Chip, in which the main functions of the whole computer are integrated? The peripherals, as e.g. the camera, are tuned to the chip, and vice versa. You can’t just expect to replace a main processor. Not with that level of integration, I am afraid.

I think Fairphone’s approach is documented in this blog post

I don’t believe Google’s decision to stop supporting anything less than 4.4 causes this to change. Fairphone will still support 4.2.2, all it means is that they won’t get official support from Google. They will still develop security fixes with the hardware/software vendor.

Given the small proportion of devices on Lollipop (v5) which has many bugs (so we should be glad not to be on that one right now!!), and the small (but rising) proportion of devices on KitKat, we’re not the only ones that are in this situation. I think last time I saw the device distribution by OS stats the most prominent version was Jellybean and versions below 4.4 accounted for over half the Android market.

In short, I don’t think there is anything to be immediately worried about.


Think again! The security of 4.2 is undermined today. MediaTek does not allow us to update to 4.4+ today. The chances to get 4.4 on our FairPhone in the future is very doubtful also.

1 Like

I do appreciate what you’re saying but the average user is not necessarily going to come into contact with any of these issues. That’s why I say it’s not something to be immediately worried by. There are vulnerabilities in all software, a lot of the time we just don’t know that yet :wink:

1 Like


In this specific case it is not even the closed chipset that is causing much harm but the lack of upstream patches.


Hi Chris,
It was February when you wrote this…
But at the moment, i cannot use websites any more because they only allow TLS 1.2 with the proper cipher suites. It is difficult to promote FP at my institute while i cannot read our own intranet.
Is there any way to get 4.2.2 up-to-date again? Or should i just throw it away?

The only official news there is on this score is in this blog post:

But I should add that at the moment as we are nearing the launch of FP2, they are putting their resources into finalizing that device/software. So any updates they want to make won’t be immediate.

Maybe @Keesj can offer further insight for you

Thanks! Good to see that you took initiative to get out of the dependency. Hope it is not too difficult to add TLS 1.2 support. Since 4.2 uses OpenSSL, it might be possible.
Or is it just a matter of enabling something that is there already? (read something like that but don’t know enough about it )

1 Like

Isn’t that more dependent on the client that you’re using, than it is on the operating system? You’re right that it doesn’t work on the built-in browser* (well, if I test it via and look under version), but it works for me under Firefox for mobile.

* which admittedly is annoying


I can fully confirm this behaviour at my FP1, trying with the
built-in browser (TLS1.0=BAD) and recent
Firefox Mobile (TLS 1.2=GOOD).

Edit: @Pipeh: Can you also confirm a solution for your problem by using a different browser and checking the link with it?
If yes, it would be appropriate to post a final clearing comment, add a short remark in the titel of the thread and to close the topic, wouldn’t it?

Also PaleMoon is considered good :smile:

I thought the same thing… If tls 1.2 is only ‘disabled by default’, as the link that i found says, it can be enabled by any software as well.
But why didn’t Chris just tell this? Maybe the whole technical discussion on Android 4.4 and other OSses over-shadows the basic end-user need of simply ‘being able to use a web site’… (i’m both an IT guy and a simple end-user, so i understand and don’t judge anyone).
Thanks for the hint, i’ll install a better browser.

1 Like

I hastened to add, I’m not an employee of Fairphone :slight_smile: and tls is not something i know about specifically. I was just providing info that was already available


Andoid 4.2 witch is running on your Fairphone includes the old google browser. This browser is not longer supported by google and there are known bugs and security issues in this Software. So you should never ever use it. Fairphone can’t (and should not waste enerhy by trying) fix all the issues with this browser.

Google only supports its Chrome browser anymore and it is the default Broser in Android versions > 4.4. All there support goes to this browser.

I hope with further updates of the Fairphone OS thre will update to a Android Version > 4.4 or integationg Chome in the older Version, because this browser is a security issue. If you want to know more about this you might find some information here.

As long Fairphone hasn’t found a solution for this problem you should use a browser whis its own engine like FireFox, Chrome or Opera and none that is using Webview (embedded standard browser) like Dolphin (without Jetpack) or Link Bubble Browser.