Security Updates

If you used some thing like aurora store would that bypass the API level restriction? ( not versed in this just curious)

Aurora Store is simply another, but open source frontend for the Google Play Distribution Platform. The apps are the same. So as soon as Developers no longer supply updates with our API Level, the apps will no longer work.

Only if you get apps from Github or other open source platforms, you might have a chance that the developers consider supporting a deprecated API level.
But that doesn’t help with Public Train apps, or similar, as they’re closed source of course.

O jeez. Thank you for the explanation. Well I hope the developers get back to your concern.

Just curious as well: does this still apply to apps that do not require Google Play Services?

I feel like I’m missing something with this. I have a Boox Palma which runs on Android 11. I have zero issues getting any app I need on this. My bank for example is only just dropping support for Android 7 but still fully supports Android 8 onwards.
Given the very limited number of apps I would be looking to sideload I have no issues with this being based on AOSP 12.

Theoretically, developers are free to use any API level that is available within the Google Software developer kit (SDK).
But modern functions are only available in more recent levels, making it annoying for devs to support older versions.
Naturally, this leads to older phones no longer receiving updates. Especially if they don’t run Google Services at all (e.g. QR code recognition is done by it for apps).
Regarding banking apps, in my country no banking app supports devices which don’t offer Google Safety Net, so that’s surprising that your bank isn’t requiring this.

Is there any chance the Mudita Kompact could get an Android update to 13 or even 14 at some point ? @urszula

Google-apps-free AOSP-based cellphones, such as the Mudita Kompakt, do not use the Google Play Store as a source for side-loaded apps.

The source would be - one way or another- the Google Play Store, as most developers publish there - disregarding on how you would sideload them onto the Mudita device (e.g. by using Aurora App Store, .apk Download from apkpure/similiar sites). Only if developers build solely for F-Droid or on Github, they might build APK which don’t conform to any requirement of Google.

I would also like to know that. As @coeditor6209 mentioned, Android 12 won’t receive any more Security updates (e.g. for Bluetooth, WiFi, Mobile Network, Base system) from Google. That makes the “Update Guarantee” from Mudita pretty much worthless, if Mudita wouldn’t replicate any security update from Android 13+ onto the Mudita. Else we only receive cosmetic updates in the future.

Unfortunately, I have seen this in the past, e.g. with Fairphone 2 and 3, where updates to newer Android versions weren’t possible anymore as the OEM wouldn’t cooperate (e.g. driver support, firmware updates) so that Fairphone couldn’t fulfill his promise of a long-lasting device. Since then, they have changed their OEMs and made better contracts, ensuring long support cycles. This is not about fancy updates, it is about responsibility.

So I hope Mudita learned from their example and will be able to supply us with a secure Android in the future. And no, turning all connectivity off is no option, as @urszula recommended before - that’s not why we’re all buying this device, I hope this will be understood.

AFAIU security updates are still possible even if not brought on a plate by Google.
I hope Mudita makes a stance on possible upgrade of base AOSP 12.
I’d also love to see a list of example threats that might compromise Mudita OS K given its based on AOSP 12, doesn’t support Google services and has limited application and connectivity options. It’s essential to make a solid vulnerability and risk assessment to see how big of a thing that would be to allocate time and money.

I’m in no way tech savvy but where would the threats be coming from if there’s no internet browser, no google services or harmful apps? Is this not just a dumbphone in a smartphone’s body essentially?

From a theoretical standpoint, Bluetooth or WiFi vulnerabilities could allow granting some access to the device. Same goes for a cable connection (watch out for public free charging ports or cables). Someone could sideload an outdated (or any?) browser and get into trouble somewhere. So hypothetically there could be a way to get into a device, the clue is for Mudita to keep an eye on it.

Not sure how much an app can have a backdoor on its own in Android environment, I guess apps run as non-root items with limited access to the backend services etc. so as long as those services are not flawed, running a random app shouldn’t be the case…?

But see zero-day attacks, all devices are always potentially vulnerable. Thus, damage control must always be considered. What am I going to store on my phone? How much valuable it might be for an attacker? I dare to say, sensitive data and ransom is most often the motive and phishing (as well as some WhatsApp parcel delivery type of scams) is most often the way to get that nowadays.

That’s why I’d love if all concerned could embody the concerns into some practical cases to let us all validate seriousness of those concerns. 100% security is not achievable ever, unless we take this popular phrase saying that a fully secure device is the one that is not connected to anything (or shut down at all).

I hope the developers could chime in on this as well!

Hello! Did you receive any answers on this?

Nothing besides this conversation.

I’ve reached out to out devs for more clarity & info on this because I know we’ve approached the security of Kompakt with care and intention. Our priority is to offer a secure experience without unnecessary complexity.

I think Mudita will keep the system and the pre-installed apps secure enough.

As for apps that you install via sideloading, well, that’s your own risk. The possibility of sideloading does exist, but it is not officially intended that other apps are installed on the Kompakt. And I think the majority of users want to use the device as it is. If I wanted to reinstall all the apps, then I could also buy another smartphone. I want the Mudita Kompakt precisely because it limits my options and offers me few distractions.

And I don’t want to have to constantly worry about system updates or apps, that’s too stressful for me.

Maybe some people should think about whether the Kompakt is really the right device for them. For some people here, it doesn’t really sound like digital minimalism to me.

The phone uses a somewhat ‘entrylevel’ mediatek chip (perfectly good for this type of phone as far as I can tell). the downside is it’s already quite a few years old, the upside is these chips are usually supported for at least a few android OS updates. in theory I would imagine, they could push to android 13/14/15 when needed.

they could make security fixes themselves, or back port fixes, but this take some good talented people that a small company may not be able to support long term.

the concern I guess is that android 12 is already end of life as of last month, so the Kompakt is shipping technically with a dead on arrival OS, which means outside of a rare security update for something truly serious, Google isn’t supporting AOSP 12 anymore, its all on Mudita to support the low level operating system and back port Linux security patches from the kernel directly. or to uplift the base OS to android 13 relatively soon.

the plus side since android 15 has been out a while, the mediatek chip probably support it, so if they can uplift the OS it should be supportable for many years to come.

another upside is the attack surface is pretty minimal, as had been mentioned no browser limits possible attacks. but things like SMS apps are super common for zero click attacks, so there is what is going to be a widely used entry point for attackers if the OS goes without patching if new vulnerabilities are found.

presuming the SMS app is in house??? there’s the benefit of patching these by Mudita even with an unsupported OS.

it does seem like the very obvious future is the OS will be updated to android 13.

can you even release a product in the EU these days without security updates?

(sorry if anything sounds negative there, its more me thoughts and questions, not negativity not he phone its self)

I don’t want to multiply threads…
I see some people find loopholes that may unwillingly expose them to stuff they may not want on the phone, such as YouTube playing in a side-loaded app. I’d like to suggest a capability that normally rooted phones permit, that is modifying the hosts file. This would provide layer of security or safety for those who have, for any reason, sideload an app for their daily job, but they don’t want to fall into any void or privacy risks again.
I don’t have strong opinion on that but it might be a thing allowed the same way as sideloading…? /etc/hosts and iptables maybe, why not.