Unfortunately, it's hard to make Fairphone secure. No separate secure element (so much easier to do brute force PIN attacks) and always lags in monthly security bulletin patches and major OS releases (remember that the monthly patches typically only address high/critical vulnerabilities, for the rest you need OS updates, QPRs, etc.).
Until Graphene works out the deal with the OEM that they are talking to, Pixel is pretty much the only secure phone that allows installing alternative firmware.
We're working with a major Android OEM and it's going well so far. It's still in an early phase where they've assigned a small amount of resources to it to determine everything which needs to be done and then make the case for a much larger investment of resources. We expect that to happen and for it to go well.
As someone else mentioned, GOS requires that the bootloader properly support relocking with a custom key. Additionally, GOS has a rule that any device supported must keep up with all security and quarterly patches in a timely manner, and none of the Fairphone devices do.
No secure element, no memory tagging support, no proper cellular baseband isolation, no verified boot, taking months to ship security updates .. the list is long.
From a security/privacy perspective the fairphone is on the worse side of options unfortunately.
> From a security/privacy perspective the fairphone is on the worse side of options unfortunately.
Compared to Pixel phones this is without a doubt true, but how does it compare against your average mid-range Android device? Do those typically have any of the features you mentioned?
I can't find the link, but a couple days ago, they said in a thread here it was due to their lack of support of some important security features, and remarked that it didn't look like they were even interested in supporting them.
As others have said they have some security concerns (I don't know enough about that stuff to know how justified or surmountable those concerns are). However with the big manufacturers all locking down their devices more than ever I wonder will they have much of a choice in the end. We're going to need a manufacturer (or preferably several) to actively stand behind the possibility to use custom ROMs, and at the moment Fairphone seem like the only one who might do that.
The curious thing is that being GrapheneOS open source, I would think that somebody could potentially create a ROM for them, even if it is not as secure as GrapheneOS would like. However, absolutely nobody has done it yet...
AXP.OS (axpos.org) is LineageOS-based (formerly DivestOS-based), but includes security backports from GrapheneOS and CalyxOS. No doubt it is less secure than GrapheneOS, but surely more secure than LineageOS, and supports bootloader relocking on some devices.
Unfortunately, it's hard to make Fairphone secure. No separate secure element (so much easier to do brute force PIN attacks) and always lags in monthly security bulletin patches and major OS releases (remember that the monthly patches typically only address high/critical vulnerabilities, for the rest you need OS updates, QPRs, etc.).
Until Graphene works out the deal with the OEM that they are talking to, Pixel is pretty much the only secure phone that allows installing alternative firmware.
Does that mean Graphene plans to support phones from other manufacturers than Google?
Yes, but they need to meet our official requirements:
https://grapheneos.org/faq#future-devices
We're working with a major Android OEM and it's going well so far. It's still in an early phase where they've assigned a small amount of resources to it to determine everything which needs to be done and then make the case for a much larger investment of resources. We expect that to happen and for it to go well.
Fingers crossed that's what it means and that it succeeds.
I'd likely buy that.
Do anyone know why GrapheneOS doesn't support fairphone?
As someone else mentioned, GOS requires that the bootloader properly support relocking with a custom key. Additionally, GOS has a rule that any device supported must keep up with all security and quarterly patches in a timely manner, and none of the Fairphone devices do.
No secure element, no memory tagging support, no proper cellular baseband isolation, no verified boot, taking months to ship security updates .. the list is long.
From a security/privacy perspective the fairphone is on the worse side of options unfortunately.
> From a security/privacy perspective the fairphone is on the worse side of options unfortunately.
Compared to Pixel phones this is without a doubt true, but how does it compare against your average mid-range Android device? Do those typically have any of the features you mentioned?
2 replies →
> no memory tagging support
That's not a security feature though... We established that. Fair enough on the other points.
8 replies →
I can't find the link, but a couple days ago, they said in a thread here it was due to their lack of support of some important security features, and remarked that it didn't look like they were even interested in supporting them.
You cant re-lock the bootloader with a custom key which grapheneos considers a cornerstone of their security model.
7 replies →
https://www.androidauthority.com/fairphone-gen-6-us-graphene...
As others have said they have some security concerns (I don't know enough about that stuff to know how justified or surmountable those concerns are). However with the big manufacturers all locking down their devices more than ever I wonder will they have much of a choice in the end. We're going to need a manufacturer (or preferably several) to actively stand behind the possibility to use custom ROMs, and at the moment Fairphone seem like the only one who might do that.
The curious thing is that being GrapheneOS open source, I would think that somebody could potentially create a ROM for them, even if it is not as secure as GrapheneOS would like. However, absolutely nobody has done it yet...
AXP.OS (axpos.org) is LineageOS-based (formerly DivestOS-based), but includes security backports from GrapheneOS and CalyxOS. No doubt it is less secure than GrapheneOS, but surely more secure than LineageOS, and supports bootloader relocking on some devices.
1 reply →