Software update: FP4.FP4G.A.170.20220920

Someone would have to check the security bulletins for CVEs Fairphones are affected by:
https://source.android.com/docs/security/bulletin

But I’d argue, even if we aren’t directly affected by a chipset flaw, the Android security updates are missing for those running stock as well. Skipping security updates shouldn’t happen, what if we are the lucky ones next time …

2 Likes

If severity “high” and “critical” mean anything to you? Because that’s how many security fixes are categorized. Also the Dutch NCSC (cyber defense) explicitly lists these Android updates with great detail on their importance. It’s just common sense and the minimum we can expect from a smartphone vendor to provide these updates timely.

2 Likes

what is adding to security concerns, as far as I have learnt, is that about android security updates, google/android informs the oem (vendors) of their ecoverse about these monthly bugs and incidents even one month prior to the actual releases, thats how security updates and fixes get rolled out. I think we even had one situation last year (on FP3 level) later in the year that fairphone3 released a monthly security release at the end of that then-current month with the security release (date of the patch) being in the next month, if I remember that properly. that was a little surprise back then. i would be glad to receive monthly and prompt security updates, maybe no need to rush updates such as back then, but many days weeks or even months, and no updates at all. and this in your flagship product. but i also do care for fp3 and fp2 product the same.

and today, we hear about serious bluetooth exploits and more. ;/

2 Likes

@formerFP.Com.Manager has just posted an update here: FP4 Security Updates need to be more frequent - #42 by rae

3 Likes

You knew your company doesn’t accept a too long delay to apply security updates then why did you buy this phone ? You were even warn about it by some people. A bit easy to complain about things you knew…
And if you didn’t trust us, it seems you hadn’t done your homeworks since the situation you experienced is the same that happened with the FP2 and the FP3. For the later model you could have seen it here.

You say many interesting things and are often right but you also seem like biased when it is about this forum Unlike what you say, people here say this phone doesn’t fit everybody This is the only place I often read people asking if they should use a Fairphone and receive the answer NO for their special case.

4 Likes

Uh… Where was this ever stated to be a caveat of the Fairphone? I don’t use my phone for work, but the current 3 month delay is a first for me. And I’ve had it since January.

4 Likes

How can you talk about Snowden to justify how important are security updates ? If a state wants to spy you, it will always find a way. Do you remember Pegasus software ? Are you seriously saying only phones without security updates were concerned ?

As much as everyone can complain about something, it is too easy to reject the blame on somebody else when you got and advice and didn’t listen to ot or you should have been careful to one point, security, to fit your company requirements. That’s what I point since I and some more people told him before he buys an FP4 it was not a phone for him.

For the rest, it is obvious monthly security updates are better than quarterly.

3 Likes

But the updates currently aren’t monthly?

As to the rest of what you wrote, I wasn’t there when that discussion took place nor am I planning on looking it up.

1 Like

You could just look here e.g to see it hardly ever was monthly and when you check the forum for FP2 updates it is the same picture, so overall a known issue, that could have been spotted easily

You’re right. Fairphone is the best. Security updates don’t matter. If you have nothing to hide you have nothing to fear from script kiddies to more advanced hackers. They always first check how happy you are with your phone and if you’re only more than 3 months behind with updates. Only then they will exploit your software and do whatever they please with your information. Everyone knows this is a gentleman’s agreement in the hackers community. FP, keep it up! Nothing to see here, nothing will and can go wrong.

The advice was to not buy the phone because of bad software support? It’s the opposite, FP attempts to be different and give longer software support. Sure, it usually lags a month behind. That was known. But 3 months certainly is unique.

But FP responded with a reasonable answer, much more reasonable than anything that has been said to defend it. So for me it’s settled. It still amazes me how people just don’t see the point of timely updates.

4 Likes

I think this discussion needs some breath ,mods if you disagree re-do please

1 Like

The app SnoopSnitch should be able to check for affected flaws AFAIK.

Fails with:

There are currently no tests available for your device. We are continuously working on adding more, hence you should try again soon.

According to the docs, the only Fairphone supported is the FP2.

1 Like

Good one. Not sure if it’s super reliable, may have to check how well it does these CVE checks. My old unpatched Pixel 3 should light up as a Christmas tree. But I suppose it’s better then no check. Slight PTSD response though, had to use that app for a project at university as well. :nerd_face:

Maybe that’s for the IMSI catcher features? Patch level check works fine here. Vanilla FP OS.

Didn’t check it on stock after it failed instantly / I read the docs :see_no_evil:
Apparently doesn’t work on CalyxOS for some reason :man_shrugging:

So, what are the results?

All green, except for this one from 2020: 4e9aefd2167cffd745d92abe4c7ce3b2bdbd91ff - platform/packages/apps/Bluetooth - Git at Google

I have to check how reliable these checks are. Maybe it’s lazy checking. It’s also hard to know if patches are backported, or maybe some parts disabled which negates the vulnerability. Can’t tell at this point. Need to read the docs or code for that. No time for that for now though.

Ah, quick glance. It doesn’t check patch levels after 2022-08, while the patch level is 2022-09, so yeah :nerd_face: Not reliable. Also, 55 tests were inconclusive. It gives an idea, but not reliable to make concrete conclusions.

Edit: Pixel 3 test done. So if the app uses a current patch level to compare it with, it may show indeed useful warnings. But it’s basically a no-brainer that you’re exposed to known vulnerabilities if you don’t patch your phone in time.

6 Likes

Hmm, I have had Android 12 since the beginning of November, with e/OS/.

1 Like

This topic was automatically closed 182 days after the last reply. New replies are no longer allowed.