English

Where are the monthly security releases in Open OS?

security
Tags: #<Tag:0x00007fefc35e0140>

#1

Browsing around the Android security bulletins (Settings -> About Phone -> Android security patch level) is rather alarming. The “patch level” of my phone is currently “December 1, 2018”, as I am running version 7.1.2 (19.02.1 flashed last Friday with those instructions). Among the issues affecting the most recent release available are:

  • the infamous PNG hack which gives attackers remote code execution if they can convince any of your app to view a simple PNG file
  • more remote code execution through Bluetooth or the serial port
  • numerous Linux kernel security flaws

Regarding the last part, I am especially disappointed and concerned to see I run a Linux 3.4.0 kernel. That version was released in May 2012 and has been EOL’d since October 2016 with the release of 3.4.113. Fairphone OS doesn’t seem to have followed any of those stable updates. The oldest still supported LTS release of the 3.x series is 3.16, which was released in 2014. The last update of that series was with 3.16.63 in February 2019. Fairphone could have ported to that mainline kernel even before the FP2 was released in 2015 and would still have a stable kernel to port things against. This is the kernel used by Debian LTS “jessie” and it’s not going anywhere.

I was comparing phones with a friends recently: he has some old no-name Samsung phone running Android 4.4 (KitKat, released in 2013). We laughed and sighed about the android security disaster. until we looked at the Linux kernel running on the thing. It turns out it was running a Linux … you guessed it… 3.4.0 kernel. That phone has been unsupported by Google itself since 2017, and is a used phone: it’s somewhat expected (even if it’s really bad!) that it’s unsupported…

… but the Fairphone 2 is still shipping now and with a hefty price tag to match. It would be great if FP could live up to its name and provide proper security support for their products. I was deeply impressed by how the FP comes with a proper bootloader and recover, and how easy it was to flash a non-Google, free-er system. That’s great. But it’s somewhat shadowed by the poor state of the updates of that actual software.

What’s the plan to fix the Linux kernel in Fairphone OS? Is that just a problem in FP Open or does that also affect the core OS?

Will there be updates for the January and February security bulletins? When should we expect those?

I’m an experienced security engineer, can I help test patches in a beta channel of some sort?

Thanks!


#2

First: this is a community forum. FP employees are found here at times but most answers you get will be from the community.

Fairphone in the past often implemented patch levels partially, you can see this in the changelog. The reason was usually that a few parts of that patch level still depended on a fix from Qualcomm. At the moment, support from Qualcomm for newer Androids on the Snapdragon 801 seems to be very limited and I think this is the answer to most of your questions, and also explains why Fairphone recently hesitated to make any promises on release dates of updates. The last public announcement was probably this one: https://www.fairphone.com/en/2019/01/23/whats-next-for-android-7-on-fairphone-2/

Apart from this, I hope one of the software engineers is browsing the forum, but the best way to reach them is probably by filing a bug on the bug tracker in case you encounter any serious security issue in the FP2 software. With your experience you should be able to write a clear explanation of the problems, e.g. how to exploit.


#3

Understood, I’ve filed this bug report.

https://bugtracker.fairphone.com/project/fairphone-android-7/issue/209

But honestly, this is all stuff the FP staff should know about. They can’t have it both ways: either the community can participate in the development process and they get to not have to do all the job themselves, or they open the source code fully and allow patches from the community, in which case we’d be able to fix this ourselves.

I’d be really worried if the people responsible for Android updates at FP are not looking at those security bulletins, which is why I didn’t believe a bug report was the right approach. :slight_smile:

But thanks for the suggestion!


#4

Some insight from the maintainer of TWRP on the Fairphone 2 …


#5

Yeah, I guess I had forgotten about the “Android problem” somehow, I don’t know how. :slight_smile: I’m just surprised those SoC are stuck on such old kernels. But it’s really common on hardware, according to other people I talked with, so that’s not only not specific to Saibon, it’s not even specific to the Fairphone project as a whole, or even Linux/Android phones: routers, IoT devices, it’s a mess everywhere…

So: sorry for picking on the kernel part of things, I guess the basic question is when those security bulletins will be factored in… :slight_smile:


#6

As for the kernel, that situation was worse in the past and might improve with future phones. Won’t help for the FP2, though.


#7

I believe so: Call for Beta Testers - Be the first to test a new update! :slight_smile: