English

Timely Rollout of Google Security Patches

Or a matter of money. Or both.

2 Likes

I guess the biggest problem is that there is no official statement on the Fairphone homepage (or shop page) and one has to contact support to get to know that currently the schedule is quarterly.

And I don’t think the size or money argument really counts if you look at the interval the company was able to support with the FP2: https://code.fairphone.com/projects/fairphone-2-official-releases.html (monthly with few execptions for 2.5 years between 2016 and 2018; and then came the no longer supported by Qualcomm Android 7 which is something I can understand).
Again: I think it would already help a lot to just know why that is (seems?) no longer possible (COVID-19, work on Android 9 for the FP2 e.g. would be an understandable reason IMHO).

5 Likes

For those, who do not care about fair electronics but timely security updates, this is everything else but a sales argument for a Fairphone.

2 Likes

I am pretty sure that e.g. Samsung sells the total amount of phones that Fairphone has sold so far in a couple of hours (just my guess). So yes, they have the manpower and the money, it’s not a big issue for them. And if they encounter a lack of competency somewhere, they simply hire some more experts. For big companies being active in a broad range of areas, not caring too much about social or ethical standards or even sustainability, this is all pretty easily done.

Apart from that I fully agree with @Ingo: The problem here is probably more a lack of transparency in the end.

One last personal annotation (then I’m done with my sermon :wink: ): If I have to choose between an unsustainable, unfair produced, super designed, up-to-date, shiny and cheap throw-me-away-next-year phone with security updates always released the next day after Google has released them and a Fairphone, with some issues, some edges, some problems here and there, then I don’t have to stress my brain one single second, cause it’s so obvious for me. I am super thankful that we have at least a tiny counter balance against all these unresponsible companies.

1 Like

Because Samsung has been brought into the field: Their policies when and how often to supply security updates differ between their model series:

That is why I have written about money: Models from the S series, for example, cost a lot more than those from the A series.

1 Like

Hi everyone,

To answer the concerns addressed above. Fairphone has a quarterly release roadmap, however, additional releases may occur in-between as a result of partner specific instances or in the case of emergency releases. For example, in the past 10 months, we have released a total of 10 software updates.

That said, a new release will be made available by tomorrow at the latest.

Regarding our communication about updates going forward. This is trickier to answer, as it is not always easy to tell if a delay might be a day, or a week, or more. But we are looking into how best to communicate this in the future, as well as how this might be done (be it, an announcement in the forum or on the website etc.) So for now, we are still investigating the “how”, but it is our plan to keep you in the loop going forward.

Best,
Rae

17 Likes

Hi Rae,
Thanks for this much clearer answer, this is what I was awaiting and would ask for the future :slightly_smiling_face:

2 Likes

Why couldn’t we have both?

I was happy to buy a FP3 knowing I will get security updates for 5 years and I stupidly thought they would be monthly until at least the phone is 2 years old.

Personally, this lack of updates implies it will be my last Fairphone if the situation stays like now. I am sad about it since I really believe in the goals Fairphone has.

1 Like

I am willing to accept that I probably was naive in thinking that “software support for five years” would mean “timely software support for five years”. If I interpret a quarterly release roadmap the right way this means I will get the up to date security patches every three months and be out of date in between? Or am I getting the statement wrong?

Edit: So in the end this wasnt even a release delay because it wasnt planned to deliver the security patches that are missing anyway? That would at least explain why no reason for any delay was given.

Edit 2: If this holds true I must say that I’m quite disillusioned from my own illusion now. ^^’

1 Like

So, “Keeping your data safe with /e/OS” should have been “Keeping your data safe and getting more timely security updates with /e/OS” :wink: .

2 Likes

We should keep in mind that /e/ OS is not from Fairphone. It cannot be “the” solution for everyone who wants monthly security updates for the FP3 to install /e/ OS, which, in my eyes, is a lifetime beta without any official support from Fairphone. And beta instances should not be recommended to be used from average users. If Fairphone think that is the way to go, I will not advise my mother in law, age 71, to buy a FP3.

Thanks for the more detailed answer and for sharing at least some details about what is going on internally at Fairphone. Looking forward to installing the new software which will hopefully contain the July patches, then.

Have a nice evening,
Thomas

1 Like

Hello @rae,

Thank you for your detailed response. I really look forward updating my phone today :slight_smile:

Thank you also that Fairphone considers a better communication update. Could you keep us in the loop in this subject?

Greetings,
JuengerJesu

HI @rae, everyone,

I’m a software developer and security professional (Red Team mostly). So, I’m aware of both how development cycles and project management methodologies work as well as exactly why maintaining a security release calendar is crucial. It is nothing like adding new features, because the bad guys aren’t going to wait around for your next sprint.

The thing is that the monthly security releases from Google almost always close vulnerabilities which have CVSS ratings from medium to high. That’s pretty important, and I was proud that I could talk up my Essential PH1 to my boss since it often got the monthly update before his Pixel would.

Now I have a bit of a problem: as long as this situation continues, I have to hide the fact that I bought a Fairphone from him. Admittedly posting on a public forum under my own name is not very stealthy, but he would have found the situation anyway.

Anyhow, I hope that the situation can be corrected, so I don’t have to give up my FP3.

7 Likes

Hi @teezeh,

This update contains the June 2020 Update.

Greetings,
JuengerJesu

1 Like

Yes. Which is kind of disappointing, since it is almost August. But better than April, of course …

1 Like

@teezeh, @JuengerJesu, how do we get this June update?

UPDATE: I tried again and the June update is available now !

2 Likes

So thank you @rae and your contacts in Engineering. This is an improvement !

I’m not defending that timely updates shouldn’t be a priority, but is true that many of the security vulnerabilities discovered are theoretical or need physical access or super-user permissions on a device. Recent example is the recent “BootHole” vulnerability on SecureBoot devices which looks pretty dangerous (and it is) however:

The severity of the vulnerability, however, is offset by a few things. First, the attacker must have either administrative rights over the computer or physical access to the machine. Administrator-level control is increasingly hard to gain on modern OSes because of major advances they’ve made to block exploits. Physical access may be easier during border crossings or similar moments when a user briefly loses physical possession of a computer. But the requirement is steep in most other scenarios, making it unlikely many users are affected. What’s more, physical possession greatly restricts the scalability of attacks.

source

This is the kind of news that you should really worry about if you are someone like @Mark_Jaroski, but will hardly go noticed by the general public (there’s a fix already by the way).

There are other issues that Google may not be able to fix but still can affect you, like the recently discovered BadPower vulnerability that targets fast charging devices and could set your phone on fire (and this is why you should always buy from official stores). Would be nice to know if Fairphone is affected by this by the way.

Again, I’m not saying that it’s ok to go for months without security updates. Just noticed this thread has gained a lot of attention and some comments seem paranoid to the verge of desperation about it.

My point is, even if there are security vulnerabilities (and they should be fixed as soon as possible) they are not always feasible for an attacker to carry them out, either because each case is unique and takes time to figure it out (during which a fix may come out) or because the attack exists only in very specific environments or requires permissions that would already put your device in a bad place anyway, etc.

Once more: I’m not saying that security updates should be optional or that “this will never happen to you so it’s fine if you don’t update your device”. Just trying to bring some light to those who seem really worried about it.

5 Likes

Updates are important. It’s not 2013 anymore where Fairphone still had excuses not to bring updates. The smartphone is now the outsourced brain where life management takes place.

5 Likes