7 years yes but updates are few and far between. That matters a lot too. With Fairphone you don't get monthly security updates and timely major upgrades.
It's admirable that they go for longevity but irregular security updates doesn't really cut the biscuit for the more security-conscious customer. It's really just a matter of when they happen to get around to it.
Samsung is better at this IMO, while they don't do it quite as long they do maintain a decent cadence that they specify for each model.
Still it hurts me they supported my S8 for such a short time because it was my best phone ever. Since then they've really improved their game on the software side but not the hardware.
I've used DivestOS on my FP3+ and was pretty happy with it until I needed to use an app that crashed if no Google Play Services were present. I'll probably return to it soon now I don't need that app anymore.
> You can install other OS on the phone if you want.
Not with a kernel that wasn't provided by the manufacturer you can't. This massively constrains your options. I can pull a Debian or Ubuntu image off their website and install it on any old laptop, but for phones you need an image specifically tailored to each device, and it'll only get kernel updates as long as the manufacturer continues to provide them since they're all bespoke kernel forks per-device.
I'm not really familier with the terminology, so maybe you can enlighten me. You can install other operation systems on the Fairphone, but I don't know about resigning the boot loader chain, but why does that matter?
Android devices use dm-verity to make sure that the OS hasn't been tempered with - bootloader checks signature of first stage bootloader on flash and that one checks the next stage all the way to kernel and contents of the flash.
This prevents all kinds of attacks where people could push things onto your phones OS. In desktop world, this is known as "secure boot".
Many devices will, however, only accept OS signed by their manufacturer - e.g. Apple iPhones/iPads will only boot an OS signed by Apple and noone else. This is why you can't ever run Linux on an iPhone or iPad.
In Android world, many manufacturers allow users to disable this verification (known as "bootloader unlock"). This allows running of non-manufacturer provided OSes (e.g. LineageOS, GrapheneOS, etc.). However, except for Pixels, they don't allow you to supply your own signing key to the bootloader, so you lose the security benefits of the secure boot chain and open yourself to big set of security attacks against your phone.
On a Pixel (at least some of them), you can provide your own signing key and reenable secure boot when installing another OS.
OnePlus did allow that in fact. CalyxOS was working to implement this functionality, but then OnePlus suddenly removed this feature from their latest update :( The two things were probably not related by the way, because that was also the update where they basically made the OnePlus phones an OPPO with some branding on top (ColorOS faked as OxygenOS). It was really the point where OnePlus as an Enthusiast brand died and is now just an OPPO marketing scheme.
Curiously enough this feature does seem to available for the fairphone 4 too!
GrapheneOS never tried implementing this for OnePlus or FairPhone because it's not the only reason they stick with Pixels. The Titan security chip offers other benefits they want.
Oh yeah, okay, that pretty silly that you can't do that. If you install a custom OS you're most likely the type of person that cares a lot about security, so not being able to enable secure boot seems weird.
I can see why you are being downvoted, but to be honest I kind of share your frustration. It seems like the same community that regularly complains about the prevailing phone ecosystem will also dismiss any attempt to improve it if it isn't perfect or doesn't have all of their personal favourite features (and at a low price, too). Like how the Fairphone is apparently literally unusable because it doesn't have a 3.5mm headphone jack.
You see it with a lot of user-facing FOSS as well, like Thunderbird. The recent post about its latest update was full of people shitting on it over, in many cases, fairly trivial details.
Creating stuff that is usable, sustainable, ethical and affordable is very difficult and involves making hard compromises. It's always good to see people trying to do it and depressing when all they get is hate.
> It seems like the same community that regularly complains about the prevailing phone ecosystem will also dismiss any attempt to improve it if it isn't perfect
You cannot fight against planned obsolescence while supporting the same companies that enable it (Qualcomm with their proprietary drivers tied to ancient Linux kernels). The real solution is GNU/Linux phones relying on FLOSS drivers, which will receive lifetime updates. More details: https://source.puri.sm/Librem5/community-wiki/-/wikis/Freque....
There a pretty interesting take away here: Fairphone is a fairly small company with limited financial resources, yet they manage to support their device for 7 years. Why is it then that Samsung can't do 10 years?
Samsung or Google could support their device for 10 years, they just don't care because their financial incentive skews toward selling new devices. Which I suppose is part of reasoning for picking a Fairphone, you get use your device for longer, wasting fewer resources.
I doubt fairphone or framework will survive long enough to fulfill these promises. It’s a good bet for them to make. If they go under just write up a “sorry guys the world is mean and we meant well” apology page. If they succeed they’ll pass the job to some cs intern.
Fairphone is already 10 years old and getting more attention than ever, but I see your point, they are significantly higher risk than other high profile phone makers.
Security is topic that is definitely worth taking very seriously, and worse, it's in contrast with an industry fundamentally designed around planned obsolescence.
I don't have estimates, but I think it's safe to estimate that there are millions of otherwise perfectly valid phones that either are in use, with serious vulnerabilities (in particular, bluetooth ones) and are not going to be patched, or have been thrown away because of that.
What percentage of those will actually be exploited in the hands of typical users? There's not exactly worm grade exploits flying around for these devices.
Most of the vulnerabilities require you to be loading sketchy apps, many of these are checked on Play Store by scanners, so unless you get very unlucky or sideload sketchy apps, probably not a concern. Web view and most other network exposed components are updated from play store, since stagefright they sandboxed all codecs, etc.
It's really not that bad for a typical user to just run an unpatched phone, certainly better than a Windows machine with local admin where downloading and running one executable is all it takes. At least on an unpatched Android device they get some level of sandboxing.
> What percentage of those will actually be exploited in the hands of typical users? There's not exactly worm grade exploits flying around for these devices.
There have been large set of attacks against modems and media decoders that do not require any kind of app installation. iMessage is a constant source of iOS CVEs. Media codecs are a constant source of headaches in the Android world as well and they require a driver update to fix (since most of them are HW decoders).
Pretty much all of the big security issues in the last year required no user interaction on Android or iOS to exploit.
> What percentage of those will actually be exploited in the hands of typical users? There's not exactly worm grade exploits flying around for these devices.
In addition to the sibling post, Bluetooth is another attack vector.
A phone I had to abandon in the past was a Nexus 5X, which I believe has a set of very serious Bluetooth bugs. I don't remember the details, but they were very easily exploitable (as in: either doing nothing, or just keeping the BT menu in the foreground, which is a common operation).
I tend to agree here - of course security is a concern and the horror stories are just that, horrific, but how often (specifically on mobile) do they happen? And with such a significant amount of our personal data now on devices - photos, health, financial - if there were constant massive exploitation there'd be relentless pressure to improve.
As long as smartphone device drivers are proprietary there will be an upper limit of how much a phone can be updated. Not to mention that Android and iOS get more computationally intensive each version way quicker than Desktop OSs do. Windows 10 from 2012 and Windows 10 today basically run the same.
Sure, if most drivers were open source like on desktop linux we could tweak them to work with newer and newer Android versions, but what happens when AOSP gets a computationally expensive update (i.e. embedded ML voice recognition or realistic TTS)? then you would have to create custom versions of AOSP that only have the stuff a particular phone model can handle and this would create and unbareable ecosystem of poorly maintained distributions
> what happens when AOSP gets a computationally expensive update (i.e. embedded ML voice recognition or realistic TTS)?
You disable those features on lower-spec phones or fall back to a low-resource alternative. If I'm on an older device that can only run eSpeak instead of a more realistic but expensive TTS engine? Fine, I'll run eSpeak! You don't have to bundle everything together into an image for each device. If you want to disable stuff, do it at runtime.
Or if you really need to remove stuff due to storage limitations, have a small manifest that can be used to build an image with unused things excluded. This doesn't have to be "oh we need to make completely custom versions of the OS for each device", this is basically "install these packages, don't install these ones". Modularity!
I don't agree. In this day and age a phone needs to be secure more than ever. It's no longer just a slab to make calls with. It's my bank account, my transit pass, all my private thoughts.
Regular security updates are no longer a nice to have. They're a must. If a company can't provide that they have no business making phones.
Having said that it does look indeed like they've upped their game with the FP4 a lot.
I am everything but a phone OS developer, but why is every android update breaking everything and why are android phones are so hard to update for the manufacturer? On windows and linux I can probably still run 98% of the proprietary drivers after OS and kernel updates.
It’s an antagonistic turn of phrase that’s not conducive to an atmosphere of high quality discussion. There are other places on the internet that are for that, not HN.
I remember lol-ing when Firefox came out with FirefoxOS ages ago. I thought, "why on earth do we want yet another phone when we've open source Android?". I'm slowly realizing that we've run out of choices now. Between the gluttonous Android, and kidney-demanding and walled garden of iOS, we don't have an alternative. And if the articles I'm reading are right, Apple is slowly eating all of Android's meals. Apps that you can't live without--be that because of $WORK requirements or other quality of life improving ones--they're available only for Android and iOS. Using such services via web is a no-go: "it's either our app or nothing". I can't park my car without installing their app. (The other alternative is to phone them up! What year is it now - 2020?!).
I wish we built foundational mobile application ecosystem around web technologies [0]. That would have stripped down the phones' front-end and user-facing requiremnt to 'just be able to run web browser'. No bulky updates; no deprecations. In the normal course, the only thing that needs update/upgrade is the battery, every n years or so, n > 5.
[0] with the provision to extend functionality via native plugins, of course -- like the Capacitor framework [1] does.
What about Project Treble? That was supposed to define a clear boundary between the hardware-dependent and hardware-independent parts of Android so that one could be updated without touching the other. The goal was exactly that, to remove the dependency on SoC manufacturers for system updates. Yet somehow this dependency still exists? Meanwhile GSIs (generic system images) also exist and run on everything where you could unlock the bootloader.
Yes, however the update still needed to be pushed by the OEMs themselves, as Google didn't want to force their hand.
Naturally they rather sell new devices.
GSI came later as Google decided to make way for most components to updatable via Play Store.
ART was the last one to make it on Android 12, specially since they couldn't ignore Java evolution any longer, as Java libraries started to become unavailable on Android.
Project Treble doesn't go that far. It allows you to boot a mostly hardware-independent ("generic") AOSP, but it's still dependent on AOSP version, hardware architecture (32- vs. 64-bit) and other details such as the partition arrangement, which varies by device. Project Droidian is trying to make it feasible to run something close to a mainstream Linux userland (hence, not just AOSP) on top of Treble drivers, and it's not very easy.
LineageOS and custom roms have been doing this for close to two decades. And those are entirely based on volunteer efforts. It actually doesn't take that much work. The reason Google etc don't do it is because then they'd get to sell fewer phones since they wouldn't be getting obsolete so quickly.
Apple supports devices for a lot longer because they get a lot of recurring and ongoing revenue from Apple services on Apple devices, so it's in their favour if devices stay usable for longer.
You can understand almost all decisions made by tech companies if you think along the lines of "how are they profiting by doing _______?"
LineageOS and other custom roms do not and cannot do this -- they are dependent on the OEM for firmware and kernel updates. Once those dry up, you get Android updates but ultimately the device remains vulnerable to lower level attacks.
Modern? According to gsmarena, literally the only Android phone with at least Android 12 with a height less than 135mm (the iPhone 13 mini is 131.5mm high, according to the same site) is the Cubot J20. Which looks adorable, but is a 60€ Aliexpress device and probably not what you seek.
If you are okay with older phones, there is the Sony Xperia XZ2 compact, which is even supported by several custom roms and would then run Android 13.
Or there are foldables of course, like the Samsung Flip. That's at least small some of the time, and there are some alternatives where the small screen on the outside is big enough to be usable, like the new razr+.
YES. I've just got a unihertz atom xl, I love it. All of their phones are pretty unique - they make one with a blackberry keyboard, mine can operate on DMR radio frequencies. They are not enormous phablets. They do only support Android 11, but I'm not really so interested in bleeding edge Android these days.
I was interested and looked it up. For anyone else that cares, Unihertz is a Chinese company. I'll probably add it to Huawei in my mental "avoid" bucket for the foreseeable future.
Unihertz makes a few niche phones, check out their sizes. They are updating the Jelly line (3" screen, might be too small for you, but is what I own) right now for a fall release. The Atom XL is a ruggedized phone with a slightly larger (4") screen. FWIW, those both are thicker than an iphone mini (gotta fit the battery somewhere I guess).
[edit]
There is also the Titan Slim. It's a 4.2 inch screen, but has a keyboard, making it narrow, but very tall (5.75").
And if you do go for the super tiny Jelly series, don't get the 2E; it's designed as a second phone and so is less well spec'd than the older Jelly 2 (or the upcoming Jelly Star).
for me in software engineering, it really does make a difference to have that extra space when having two things open side by side. Also I DJ for fun sometimes, and having the extra real state helps a LOT.
Thanks that is exactly my point, because I'm not losing any functionality with a slightly smaller phone, but I am gaining something that is more mobile, fits into pockets and usable with one hand.
I understand the large screen appeal, there's a lot of folks out there now where they use their phone to watch shows and in some cases is their only computing device.
The basic S23 is half a centimeter larger in every dimension (except thickness) and is a very, very good phone. If that's too large, there's also the Xperia 5 IV and the Asus Zenfone.
The Zenfone is the same size as a regular iPhone. I know reviewers hype it up as a small phone and in the android context, it is - but it's not comparable to the iPhone mini.
Not everyone uses their phone for UIs. A lot of us Gen-X / Elderillenials have a more disconnected lifestyle, whereas a lot of younger-llenial and Gen-Z their life is centered on communication first. As such, a Large screen is not a priority, but portability is, because I'd assume just leave my house without my phone if it's too big to tuck in a pocket on a bike ride.
Good phone cameras rely on a bunch of proprietary blobs for the sensor color science which are considered trade secrets and kept close to the chest when licensed for $$$.
Fairphone could invest in rolling their own open color science but I doubt they have the money to do it and come anywhere near what Apple or the other big Android makers are doing.
Looks like if you want open devices running FOSS you'll have to live with shit camera quality, for now.
Fairphone is not FOSS though… I don’t think their angle is “we are FOSS”, they are open to proprietary blobs as long as the hardware is ethically sourced. (From what I get, their definition of “ethical” doesn’t include FOSS.)
Sensor vendors will work with you to give you their blobs if you aren't idealogically required to distribute their source code. The SoC they are using should have a few blessed sensors which work pretty well out of the box.
Unless Qualcomm is totally out to lunch. I dunno I haven't worked with their SoCs personally.
I upgraded my fp3's camera to the fp3+'s, and it's noticeably better. Also, the upgrade was the easiest. Pop the old camera out and the new one in.
'Good' is relative. No doubt an iPhone's camera is better, but I suspect most people have no need for such high quality photos. They just want to take photos for themselves or social media. And for that the FF3 camera is totally good enough.
They do bring up a good point. An actual camera is almost always better than a camera module. But most people value cost and convenience over having the superior tool.
I've witnessed people who are unable to navigate when their phone shows SOS only. They were unaware that GPS does not depend on cellular Internet. People scoff at dedicated GPS navigation devices or paper maps as antiquated.
Most Android cameras are fine for social media pics. However if you edit and print your photos the iPhone and flagship Android cameras are noticeably better in color, image noise, brightness, contrast and low light.
Those all look fine to me, but I'm a poor judge. I rarely take pictures of anything. I realized a long time ago that I almost never go back and look at them again, and I am better off enjoying the moment than trying to stand outside of it taking pictures.
You might want to get your eyes checked at your next appointment. I'm severely color blind and yet I can see a significant difference in color diversity, vibrancy and image quality in these examples. The FP image is muted and muddy.
Well I’m one of the people who thought NSTC television was “good enough” video quality. 4k is so sharp it puts me in an uncanny valley and I find it b be borderline unwatchable
Note that some of those look worse than they would if taken today, because FP4 used to have an issue where some interface wasn't made available for third-party camera apps to use.
I think the biggest deal-breaker for me is that they chose to go with /e/OS which is not something I enjoyed after trying it briefly since the skin over AOSP to me seemed ugly and bloated and change for the sake of it.
I would like to try out the recent Zefones and the nothing phone also seems good. But at the moment I have my Pixel 6a which is serving me well enough.
There's no skin on /e/OS, it is just a fork of LineageOS with a few Google/telemetry things removed, MicroG integrated, and a handful of apps/services preinstalled.
Are you talking about the default launcher? You can download dozens of different launchers on their app store, and install them with one click. Including Trebuchet, which is the default launcher on LineageOS, which is, at this point, de facto AOSP.
This is a forum of hackers, so this ought to be easy to answer:
Alice is using a Pixel XL in 2023. Its last Android patch was in 2019, on Android 10, but she keeps up with play store updates. Other than this, she is reasonably security conscientious. She does not sideload strange apps, but could be tricked into visiting a malicious link before exiting out of it. She is not a high value target.
By 2024 Eve has hacked Alice's phone as a result of this outdated phone. What is the most likely mechanism?
Here are my speculations:
Visiting a malicious link at the same time there is a major browser vulnerability. This sandboxes the malware, unless there is a second vulnerability, a sandbox escape.
Receiving a malicious text message that exploits a Message app vulnerability.
Attack on the baseband processor.
Pleas correct me if I'm wrong, but I don't see any of these as being very likely.
To me this is a ludicrous and premature claim. They can claim this AFTER 2026 gets here and their device still runs whatever Android looks like in 2026. And runs it well, with acceptable performance and battery life. Not before.
It's admirable that they go for longevity but irregular security updates doesn't really cut the biscuit for the more security-conscious customer. It's really just a matter of when they happen to get around to it.
Samsung is better at this IMO, while they don't do it quite as long they do maintain a decent cadence that they specify for each model.
Still it hurts me they supported my S8 for such a short time because it was my best phone ever. Since then they've really improved their game on the software side but not the hardware.