Secuity updates missing from Jan & Feb?

My newly gotten FP4 is showing security updates lagging nearly 3 months as of this writing.

This means I am exposed to several high severity unpatched vulnerabilities covered in this years Android secrity bulletins (Boletim de segurança do Android — janeiro de 2022  |  Android Open Source Project & Android Security Bulletin—February 2022  |  Android Open Source Project)

10+ local and remote escaalation-of-privilege vulnerabilities unfixed, which could mean getting your phone pwned by malware in several scenarios that should normally be prevented by Android, such as opening a malicious media file.

Is this normal? What has been the usual time between published secuity updates from FP? Other phones I’ve owned get them monthly quite soon after Google publishes the updates on their end.

unfortunately yes

Official updates with the security fixes they contain are released at irregular intervals.
How long the intervals are is entirely up to FP.

That may be, but it is not the case here.

Even if this now becomes another endless discussion, which I assume, it will not change the fact. :wink:

2 Likes

Which devices did you own before and how long did they take to patch things? From what I’ve seen, Fairphone is usually 2 months behind. This isn’t great indeed. But it’s still better than most phones out there. I think high-end Samsung phones and OnePlus phones get updates in time and of course Pixel devices. Fairphone has a smaller team, it’s kind of unfair to compare them to those giants.

Just to give you a heads up, Qualcomm doesn’t support a SoC for 7 years. So those Qualcomm fixes you see won’t be available for Fairphones after a number of years. This might change, since the EU is pushing for higher standards. But I guess this won’t include the FP4. Then again, this is me, I’m not in the inner circle, aka Fairphone employee. Best is to just #contactsupport and relay these concerns you have. Please share their response here.

3 Likes

My last phone before the Fairphone was the Essential PH-1. They sometimes released patches a few hours before the same patches were available for the Pixel.

Samsung sometimes even beat the Pixel phones with the monthly updates :nerd_face: If you have a well automated pipeline with tests and make use of project Treble, then I guess you can release faster while keeping quality high. But I don’t have a relevant background. If it was easy/cheap, I guess FP would’ve done it already.

1 Like