Couple of pieces on hardware:
- Fairphone does not include a secure element making brute-forcing PIN trivial
- Fairphone 4 used TEST KEYS for verified boot: https://forum.fairphone.com/t/bootloader-avb-keys-used-in-ro... The above alone shows insecurity by design.
I cannot find any of Fairphone technical documentation that would provide details on their implementation of the TEE/HSM. As of now I believe it's only Pixel's Titan and Samsung's KNOX that provide a discrete secure element on Android devices.
Android project recommends secure element to process sensitive data: https://source.android.com/docs/security/best-practices/hard... What it's supposed to provide: https://developer.android.com/privacy-and-security/keystore
On vendor: Drivers, firmware patches, OS upgrades are a necessity, not an option: most security and privacy updates are not backported. Vendor can't just wait for AOSP to deliver all the patches. Vendor must show a track record providing updates to their hardware
- After a lengthy two-year delay, the phone got a taste of Android 12 in February 2023, with Android 13 arriving relatively quickly in October 2023. For Android 14, Fairphone promised to roll out the update in H2, 2024, almost a year after Google released it. Now, with less than two months left in the year, the company is postponing the update's release to 2025. -- https://www.androidpolice.com/fairphone-4-long-delayed-andro...
- their Security Bulletin patches are consistently 1-2 months behind
- Fairphone 5 is still on Android 14 (since Jul 2024). Android 15 has been released in September 2024. Year and a half later AOSP is on Android 16.
- Fairphone 6 is still on Android 15
- Fairphone 5 and 6 latest security patches are from June 2025: https://support.fairphone.com/hc/en-us/articles/244637136412...
For comparison GrapheneOS had eight releases in July alone (GrapheneOS had a full A16 release on 30th of June for all supported devices). Security patches are usually released within one-three days (or earlier, from the tree, without waiting for being published in the bundle)
GOS Release for Pixel 9 was ready three days after the device launch.
Exploitability matrix as per Cellebrite: https://discuss.privacyguides.net/t/updated-cellebrite-iphon... That supports the claim the hardware + OS holds.
It is also worth mentioning that Android Security Bulletins generally only contain backports of patches for High and Critical vulnerabilities. Most non-Pixel/GrapheneOS phones only get all the other fixes when moving to the next major release [1]. So getting the next major Android release is important (getting to a recent patch-level alone is not enough).
I can completely understand that Graphene does not want to support Fairphone and others, their security/privacy goals are the complete opposite of what those phones provide.
[1] https://discuss.grapheneos.org/d/23462-grapheneos-version-20...
> - Fairphone 5 is still on Android 14 (since Jul 2024).
The Android 15 update was actually released this week! https://support.fairphone.com/hc/en-us/articles/186828004651...
> - Fairphone 6 is still on Android 15
Android 16 was released less than half a month before the release of the FP6, which itself is less than a month ago. Seems reasonable that it wouldn't ship the latest version under those circumstances.
i am trying to under this but i do not get it. it is an encrypted phone with no external to the attacker access. how can you brute it??
Fairphones don't switch USB ports automatically into "charging only" like GrapheneOS does.