Hi everyone, I’d like to expand on the information we shared earlier on the Forum to help clarify the current security situation with Mudita Kompakt. This post is meant to explain how we handle security updates today and what happens now that Google has ended support for AOSP 12.
Mudita OS K and Kompakt itself are minimalist products, designed that way on purpose. Kompakt started from AOSP 12, but we changed it a lot.
- We did not add Google Mobile Services and the Google Play Store.
- We wrote our own apps and a lot of low-level parts, including drivers.
- We added features like Offline+ that Android does not support out of the box.
So at this point, Mudita OS K is its own system, based on AOSP 12, but not a “stock Android 12” build anymore. Some attack paths that exist on regular Android phones simply do not exist here, because the features or apps are missing.
Google has now stopped publishing security patch backports for Android 12. The last Android 12 fixes were part of the March 2025 security bulletin.
That means:
- There will be no new official Android 12 patches from Google.
- Any long-term support for a device on an Android 12 base must come from the system vendor (in this case: us), by backporting fixes from newer Android versions.
Applying every single patch from Android 13–16 to an Android 12 tree, no matter what, would be risky and almost unrealistic. Instead, we review Android Security Bulletin and pick what matters.
- Check the CVEs: what part of Android is affected and how serious it is.
- See if that code exists in Mudita OS K or if it was removed or changed.
- If it applies, we bring in the fix and test it.
- If it doesn’t apply, we mark it as not relevant.
We focus on critical issues. Lower‑risk problems are still monitored but take lower priority.
We want to be clear here:
- We will not backport every single issue from all future bulletins.
- We do commit to keep verifying new bulletins, and to fix high-risk problems that actually affect Kompakt, for as long as we support the device.
A few points that also matter for security:
We do not ship Google Play Services or Google Play Store. Some vulnerabilities from the bulletins and from Google’s own bulletins simply do not apply, because that code is missing.
On the other hand, we also do not get protections like Google Play Protect out of the box. So we put extra care into the system side and keep the default app set small.
Because Kompakt now allows sideloading, some risk depends on which apps you choose to install. The OS gives each app its own sandbox and permission system, but no system can fully protect a user from a malicious app they install themselves. Third-party apps can bring in their own bugs or malware.
Thank you for engaging with us and for caring so deeply about doing security the “right” way on a minimalist device. Please keep your Kompakt updated and install apps only from sources you trust.