Dutch hardware, French open-source OS, no Google services.

Apologies for repeating this in pretty much every topic on Fairphone and /e/OS, but there is a lot of misinformation about this. The Fairphone hardware and software is developed by a Chinese company called T2Mobile (this is no secret, it is in Fairphone’s documentation). Switching to /e/OS does not really change that, because they use the same kernel trees, binary firmware blobs, and device trees maintained by the same Chinese company. So you replaced opaque blobs coming from a South Korean company to those from a Chinese company and Qualcomm (pick your poison I guess). Besides that /e/OS does not really decouple you from Google. It starts talking to Google pretty much the moment you first set up the device [1]. The device will download proprietary Google SafetyNet blobs that run as part of the privileged microG. /e/OS also contacts Google for assisted GPS, eSIM provisioning, WideVine provisioning, etc. Then if you install certain Google Apps, /e/OS gives them elevated privileges, breaking the regular sandbox model. For instance, if you install Android Auto because you want to use it in your car, some of the dependencies (e.g. Google Maps) have privileged access [2]. It does not stop at Google, e.g. for speech-to-text, Murena does not have any scrupules uploading your voice to OpenAI (and hide it somewhere in the terms that no-one reads) [4].

Besides that, both Fairphone and /e/OS have a history of abysmal security. E.g., both used to sign system images with Android testing keys (which meant that malware could hide in your system image without you noticing). Fairphone is absolutely terrible at maintaining kernel trees - e.g. Fairphone 4 is still using a Linux version that has not been updated since 2020, Fairphone 6 is still on firmware blobs from June 2025 despite Qualcomm pushing out monthly fixes for vulnerabilities since then. The Fairphone 6 is also shipping a Linux kernel that hasn’t been updated since September 2024. Both the Fairphone stock OS and /e/OS are way behind on Android security updates. The Android Security Bulletins are only backports of security issues marked high or critical. On those they are typically 1-2 months behind and the ASB vulnerabilities are already known for 3 months by vendors due to Google’s new security embargo system. That means that Fairphone’s stock OS and /e/OS are usually 4-5 months behind on patching high/critical vulnerabilities. It is even worse for other vulnerabilities, which are commonly used as part of exploit chains. /e/OS and the stock OS are still on Android 15. Since they do not roll out other security updates than ASBs, it means that they are now 1.5 years behind in non-high/critical security updates (since Android 15 was released in September 2024). And then we haven’t even talked about shady things like the /e/OS App Lounge getting F-Droid packages [3] through a MITM server (cleanapk) for at least 6 years now that often serves outdated package versions. To make it more fun, they do not want to reveal who is actually maintaining this service. Similarly, hardware security is not great. In contrast to your old S24, the Fairphone 6 does not have separate secure enclave. They only use TrustZone, which basically uses the same CPU/RAM for the TEE (the OS gets isolated by secrets running it in a VM-like environment). TrustZone is vulnerable to side-channel attacks and PINs are easily brute-forced (so, on Fairphone you probably want to use a long passphrase). Some people will say: who cares, I’m not the target of a state level actor. Remember that in the days of Cellebrite, etc. device security is important to anyone who ever goes to a demonstration or crosses international borders. I understand that everyone is looking for European alternatives, please think twice if you want to replace them by Chinese blobs, very outdated software, and a security disaster.

[1] https://www.kuketz-blog.de/e-datenschutzfreundlich-bedeutet-nicht-zwangslaeufig-sicher-custom-roms-teil6/

[2] https://eylenburg.github.io/android_comparison.htm

[3] https://forum.f-droid.org/t/e-foundation-using-f-droid-with-middle-man-website/7162

[4] https://forum.fairphone.com/t/e-os-betrays-users-privacy-openai-being-integrated-directly-into-core-os/119381

https://www.reddit.com/r/BuyFromEU/comments/1rn5qiw/fairphone_grew_83_last_quarter_tried_it_for_a/

Ah, GrapheneOS, who else? Can someone provide the source? What was the question he was asked?

Edit: Found it. Interview is in french, on YouTube. I just ran it through a transcriber and a translator, so something might get lost in translation.

Basically he was being asked about “who is your threat model, the the government?”. Then he brings up pedophiles and government employees or the CIA. I’m assuming he’s putting them in the same box because of the threat model, but I tagged him and would like a response from him.

cm0002 is anti security by not mirroring @grapheneos.org’s translation. Here’s a mirror of the vulnerability apologia:

My lack of interest in /e/ has tripled!

Graphene is the best option for avoiding authoritarian government surveillance.