PRO1, No more System Updates

[sequestris 710]

I asked. They answered.

[Hook 2,907]

Yes, that's been  clear for quite a while, but good to have a definitive statement.  Luckily, Lineage provides the updates for the Pro1. 

[VaZso 1,997]

Just now, sequestris said:

I asked. They answered.

They have stopped pushing updates for Pro1 a very long time ago.

...or is it about update system which also stops working?

Anyway, LineageOS still provides an up-to-date Android environment, however, there are still bugs in kernel which could only be improved through manufacturer as having closed-source components and what is very sad to be left alone...

[OKSun 103]

Can I ask what are the implications for those using stock android on the pro1: Is it still safe in terms of data security? And if so for how long?

[VaZso 1,997]

5 hours ago, OKSun said:

Can I ask what are the implications for those using stock android on the pro1: Is it still safe in terms of data security? And if so for how long?

I would not say it is safe considering it is more than a year since it was updated...

I have used stock OS because it was set up and it is a bit harder to do a major update on a daily driver without a proper way of backup/restore in case something went wrong...

However, stock OS simply had a lot of problems and LineageOS works as good as possible, the only problems remained were built into kernel, so they are basically not LineageOS-related.
Device is really fast, NFC payment is working, every functions work as they should...

[OKSun 103]

11 hours ago, VaZso said:

I would not say it is safe considering it is more than a year since it was updated...

Thanks for the answer. 

My experience with the android stock software was fine (with the workarounds suggested by the users, I could use the phone and the banking apps were working).

I am disappointed that there will be no update. I wrote to fxtec customer service to get official statement about android use and implications in terms of data safety (Does fxtec officially suggest to move away from android?).

Edited April 13, 2022 by OKSun

[EskeRahn 5,399]

1 hour ago, OKSun said:

My experience with the android stock software was fine (with the workarounds suggested by the users, I could use the phone and the banking apps were working).

Me to, I use stock android on my daily driver, and apart from the need for occasional boots (roughly twice a month), when it forgets it has a fingerprint reader, it works fine for me. I seldom do voice/calls, and when I do almost always with headset.

But yes, certainly disappointing with the lack of updates.

[OKSun 103]

23 minutes ago, EskeRahn said:

But yes, certainly disappointing with the lack of updates.

Thanks. Yes the question for me is whether my personal data is at risk.

Edited April 13, 2022 by OKSun

[EskeRahn 5,399]

1 minute ago, OKSun said:

Thanks. Yes the question for me is whether my data is at risk.

The polemic answer is: Yes, do not trust a phone as a safe place for data, no matter the OS or security update level...

But then the big question always is HOW big the risk is, if we choose to take the chance anyway?

Strictly someone could snap it out of your hand while you are using with your banking app open, so you NEVER get it completely secure...

There are a lot of other things than security patch level in play. e.g. the security of the net you are using it on. That is the reason why my 'Paranoia' never would let me connect my device to a net where I do not feel they are suitable secured behind firewalls. And thus never in any circumstances to a public WiFi.

Sure I would prefer to have the most recent security updates on my Pro1, but not enough to want to have the hassle with apps not working. But that is just my personal balance.

[claude0001 1,271]

2 hours ago, EskeRahn said:

my 'Paranoia' never would let me connect my device to a net where I do not feel they are suitable secured behind firewalls. And thus never in any circumstances to a public WiFi.

No offense, but that does not seem very practical to me. The only network you can trust on that level is one you configured yourself. For most users, that would mean to connect their Pro1 to the Internet only at home. At that point it is not really a mobile device anymore ...

We do agree that banking is best done at home anyway. I use only my PCs and separate hardware tokens for that. In fact, by relying on security of a single system (the phone), most banking apps undermine the very principle of two-factor authentication which lies in using two independent devices that are air-gapped from one another.  

[EskeRahn 5,399]

2 hours ago, claude0001 said:

No offense, but that does not seem very practical to me. The only network you can trust on that level is one you configured yourself. For most users, that would mean to connect their Pro1 to the Internet only at home. At that point it is not really a mobile device anymore ...

Well I was talking WiFi... So only internet through the mobile carrier (when not at home, or a few trusted WiFi locations).
But yes I will need to to trust my mobile carriers net.

[Doktor Oswaldo 901]

14 hours ago, EskeRahn said:

Well I was talking WiFi... So only internet through the mobile carrier (when not at home, or a few trusted WiFi locations).
But yes I will need to to trust my mobile carriers net.

Trust is maybe an overstatement... but you have to asses the risks. If someone has access to a manipulated carrier network, there are probably more valuable targets than me.

But since I do the same (never connecting to public wifi). Do you have the same problem as me, that it seems that some places with public wifi (supermarkets especially) seem to be constructed to block mobile network? I know this sounds like a conspiracy, but I swear, here in Switzerland you seem to have no Internet at all in big supermarkets!

Edited April 14, 2022 by Doktor Oswaldo

[Rob. S. 1,634]

Germany here, also problems accessing the mobile networks in (some) supermarkets.

When some years ago I found my erstwhile phone to behave suspiciously after having used the wifi of the hotel where I had been staying, I became extremely careful with public and semi-public wifis, too, though, and I wouldn't even call it paranoid. 😉 

But I guess that's what VPNs are for... Until now I didn't bother to create a VPN endpoint in my home LAN for that purpose (it's still on my wishlist because it obviously would also allow access from everywhere to all of my home LAN resources without further ado), but I'm using one of the better-reputed commercial VPN providers (Express VPN, I also chose it for its good Linux support). When I log into a public wifi, first thing i do is to activate VPN which is just two taps, and then I'm sensibly safe (it can even be automated; there's an 'autoconnect when joining networks not listed as trusted' option).

Edited April 14, 2022 by Rob. S.

[EskeRahn 5,399]

3 hours ago, Doktor Oswaldo said:

Trust is maybe an overstatement... but you have to asses the risks. If someone has access to a manipulated carrier network, there are probably more valuable targets than me.

But since I do the same (never connecting to public wifi). Do you have the same problem as me, that it seems that some places with public wifi (supermarkets especially) seem to be constructed to block mobile network? I know this sounds like a conspiracy, but I swear, here in Switzerland you seem to have no Internet at all in big supermarkets!

My Guess would be that they are generally just deep flat concrete building, so the signal has a hard time reaching. So most likely they offer the WiFi as a service to compensate this, especially if they are one of those allowing you to scan the items with your phone as you put them in the basket. (That offer is quite common in Denmark. e.g. Coop) , I have given up using this due to net-issues doing so....

[Doktor Oswaldo 901]

27 minutes ago, EskeRahn said:

My Guess would be that they are generally just deep flat concrete building, so the signal has a hard time reaching. So most likely they offer the WiFi as a service to compensate this, especially if they are one of those allowing you to scan the items with your phone as you put them in the basket. (That offer is quite common in Denmark. e.g. Coop) , I have given up using this due to net-issues doing so....

We have that here too. Funnily also in a Supermarket called coop. They also offer you handscaners though. But here the problem is, that you need an account and give them access to all your sales data to use it. So I use the self scanning register instead of that.

[claude0001 1,271]

Interesting discussion. What I have observed with some WiFi's run by shopping malls is that they block price-comparison websites. <conspiracy> So maybe the have an interest in locking your out of your mobile network ...  🕵️‍♂️ </conspiracy>

On a more serious note, in my daily life, I lack mobile network just too often. I travel by train a lot, and there are still too many uncovered areas in the open countryside. At my working place there is practically no chance of having mobile data at all (radiation protection walls). So I rely on local WiFi's even for phone calls much of the time. To be honest, I never worried much about it ...

4 hours ago, Rob. S. said:

But I guess that's what VPNs are for...

Hmm ... not so sure about that. It is true that an (encrypted) VPN would protect you from a malicious WiFi admin overhearing your communications. But that can be achieved with any kind of end-to-end encryption, as is standard on the Internet nowadays. Protocols like https can safely be used even on a fully unencrypted WiFi from that point of view.

What I thought we were discussing here is the (theoretical) possibility of the WiFi access point exploiting some vulnerability in your unpatched phone OS to get access to your device. I do not think that can be excluded via the use of VPN. After all, a VPN is just a virtual (tunnel) interface that relies on an existing physical network connection underneath. So, obviously, the latter has to be established normally before the TUN interface can be installed. In order to be accepted on the typical (semi-)public WiFi, you have to register by accessing a web interface controlling the AP. In theory, that would probably be enough to exploit some vulnerability e.g. in your web browser (apparently my LineageOS always uses the built-in browser for that, even though Firefox is set as default).  

Edited April 14, 2022 by claude0001

[Rob. S. 1,634]

@claude0001 Yeah, I guess I see your point, at least if there actually is a web page to register through, which is at least the case in the supermarkets around here...

[OKSun 103]

I have just installed another android security update for my outdoor phone (a Cyrus from Feb 2020 running on android 9). I get these updates quarterly, although Cyrus is also a niche market phone.  So it seems possible.

I am still unclear what these security updates include. What security aspects are they improving? Should we be worried?

Edited April 19, 2022 by OKSun

[claude0001 1,271]

10 hours ago, OKSun said:

I am still unclear what these security updates include. What security aspects are they improving? Should we be worried?

The AOSP security bulletins are here:

https://source.android.com/security/bulletin

Everything since April 2020 is unpatched in stock Android 9.

LineageOS picks up the open-source patches from the security bulletins, but can't do so for the (closed-source) Qualcomm fixes, which would have to be implemented by the device manufacturer. That's why a recent LineageOS will display an "Android security patch level" of "5 April 2022", while the "Vendor security patch level" is stuck at "5 April 2020" on Lineage, too.

Edited April 19, 2022 by claude0001

[VaZso 1,997]

2 hours ago, claude0001 said:

That's why a recent LineageOS will display an "Android security patch level" of "5 April 2022", while the "Vendor security patch level" is stuck at "5 April 2020" on Lineage, too.

Right, and there are exactly two years between last vendor security patch level and current LineageOS security patch level...

Edited April 19, 2022 by VaZso

[jmcleod 11]

For what it's worth, I run the stock OS that shipped with the Pro1 and haven't had any issues aside from needing to reboot the phone every so often (I think to refresh my phone on my carrier's network or vice versa) to receive texts and calls.  I don't have anything sensitive on my phone that could be compromised but I use it mainly with zero trust principles.  I accomplish this in part by using a different email for my phone than my actual email, disabling BT, location, and WiFi, except when I am explicitly using one or more.  Even then, I only connect to trusted devices (BT; not to exceed X minutes) or networks (WiFi).  The headphone jack lends itself nicely to not really need BT for most situations.  The lock screen is configured to display no message or status information other than the clock and, unfortunately, the information discernible from the pull-down menu (such as the name of whichever in-range wireless network to which it is presently connected).  I have "Private DNS" configured and use a VPN on the phone, mainly to circumvent tracking, and never use Chrome.  Duckduckgo is good for quick searches without tracking but Firefox allows installation of add-ons, such as noscript, and the ability to view the desktop versions of sites, which allows me to view certain sites without using a site-specific application.  Although I use a password manager, it is not on my phone.  The Pro1 is used to generate MFA codes for other machines in conjunction with a Yubikey for additional protection on platforms that allow its use.  I have never performed any sort of financial or medical activity on my phone and never will.  I haven't yet gotten to the point of solely using (F)OSS applications and side-loading to avoid Play but I've considered it.

 

 

 

[MickH 211]

A few weeks ago I took my Pro1 out of frontline service, as I decided that Android 9 was now too risky to rely on for most of the tasks I was carrying out, despite using Two Factor Authentication. It's a shame FxTec dropped support so quickly.

[brunoais 317]

5 hours ago, MickH said:

A few weeks ago I took my Pro1 out of frontline service, as I decided that Android 9 was now too risky to rely on for most of the tasks I was carrying out, despite using Two Factor Authentication. It's a shame FxTec dropped support so quickly.

Not that they chose to, though...

[FlyingAntero 825]

On 8/6/2022 at 8:29 PM, brunoais said:

Not that they chose to, though...

Even so that Snapdragon 835 devices reached their EOL on Feb 2022 (Linux kernel LTS) Qualcomm is still delivering some security updates to SD835 chipset. Also, Pixel 2 phones (same SD835 chip) received Android 11 update and security updates to the end of 2020 (or to April 2021 if you were Preferred Care customer). Considering that last update for Pro1 was on Aug 2020 (April 2020 security level and Android 9) things could have gone better.

I don't know what was the reason that updates stopped and we never received Android 10, monthly security updates or Widevine fix. Maybe software development was too costly (about $10000 for each Google certification run what I have heard) or partners did not do what was promised (IdeaLTE and AdUps).

However, I am happy that F(x)tec helped developers with custom ROMs etc. At least we have an update patch that way. I just hope that Pro1-X gets little bit better support (maybe couple updates per 12 months for few years). I know that it is not an easy task for a small company.

 

[claude0001 1,271]

23 minutes ago, FlyingAntero said:

However, I am happy that F(x)tec helped developers with custom ROMs etc. At least we have an update patch that way.

The problem is that security issues in the binary blobs owned by Qualcomm are not going to be fixed. Even LineageOS 19.1 is still on the "vendor security" level of April 2020.