Browsing around the Android security bulletins (Settings -> About Phone -> Android security patch level) is rather alarming. The “patch level” of my phone is currently “December 1, 2018”, as I am running version 7.1.2 (19.02.1 flashed last Friday with those instructions). Among the issues affecting the most recent release available are:
- the infamous PNG hack which gives attackers remote code execution if they can convince any of your app to view a simple PNG file
- more remote code execution through Bluetooth or the serial port
- numerous Linux kernel security flaws
Regarding the last part, I am especially disappointed and concerned to see I run a Linux 3.4.0 kernel. That version was released in May 2012 and has been EOL’d since October 2016 with the release of 3.4.113. Fairphone OS doesn’t seem to have followed any of those stable updates. The oldest still supported LTS release of the 3.x series is 3.16, which was released in 2014. The last update of that series was with 3.16.63 in February 2019. Fairphone could have ported to that mainline kernel even before the FP2 was released in 2015 and would still have a stable kernel to port things against. This is the kernel used by Debian LTS “jessie” and it’s not going anywhere.
I was comparing phones with a friends recently: he has some old no-name Samsung phone running Android 4.4 (KitKat, released in 2013). We laughed and sighed about the android security disaster. until we looked at the Linux kernel running on the thing. It turns out it was running a Linux … you guessed it… 3.4.0 kernel. That phone has been unsupported by Google itself since 2017, and is a used phone: it’s somewhat expected (even if it’s really bad!) that it’s unsupported…
… but the Fairphone 2 is still shipping now and with a hefty price tag to match. It would be great if FP could live up to its name and provide proper security support for their products. I was deeply impressed by how the FP comes with a proper bootloader and recover, and how easy it was to flash a non-Google, free-er system. That’s great. But it’s somewhat shadowed by the poor state of the updates of that actual software.
What’s the plan to fix the Linux kernel in Fairphone OS? Is that just a problem in FP Open or does that also affect the core OS?
Will there be updates for the January and February security bulletins? When should we expect those?
I’m an experienced security engineer, can I help test patches in a beta channel of some sort?