Security Updates

It is up to the maker of a sideloaded app as to whether the app supports WebView technology, which can let, for example, a YouTube video play in that sideloaded app.

Just chiming in to confirm that we’re currently discussing this internally across teams to align on the most accurate and transparent response - especially since this thread has surfaced a range of different needs and concerns.

Naturally, security is of utmost importance to us, and we treat the matter seriously.

Due to the long weekend in Poland, it will most likely be next week before we can share a proper update, so we’d appreciate your patience in the meantime

thats great to hear. I imagine (not having the phone yet, and kind of new to the idea of purposeful / mindful tech) that the end user features offered by AOSP 13/14/15 are frankly less important for this kind of phone though I imagine some of the new features from these may fit quite nicely into this type of system. and the more important part for a phone like this (imo) from a core OS perspective is that security support and core functionality that newer AOSP versions bring

on a side note, id be quite happy to pay a small cost for future core system upgrades (asp 13 → or 14 ->15) to aid in the longevity of the device, but thats quite an old way of looking at software these days. though I wouldn’t support that idea from AOSP 12 that it currently ships with to 13, since it really should ideally be on 13 or supported with security updates another way.

I cant imaging managing it yourself with back ports would be ideal as you’d need a whole CVE / security disclosure setup as well but who knows

in any case I hope there will be a good path there forward for the foreseeable future of the device and the core apps you develop in house.

id love to hear more official info or blogs on security of your tech in the future btw, it would be interesting to see how its approached for the OS, and for your apps. (might be able to tell this is my day to day )

also, we have a bank holiday this weekend as well, not quite a long weekend, but close enough. have a great break in Poland!

Excited to hear on this!

@pang840 (Good heavens! there’s a user on this forum with the username ‘PantySlut’.) Where was I? Oh, yes, you were pointing out that the likelihood is that app developers might soon update their apps and drop support for Android 12 because it’s now EOL. And when they update their apps to require Android 13 as a minimum, they would also probably do this if they distribute via other non-Play stores. Have I understood you correctly?

If yes, then if I follow your logic, that would mean that the concept of sideloading may, in reality, become unviable in the foreseeable future. Hmm. I would like three apps: Obsidian, Pocket Casts and Signal. Being able to sideload these was a primary reason I opted for the MK.

You’ve provided real food for thought.

@petemeister I can’t quite follow your comment regarding username, but, well whatever
Back to topic:
For now, the Android ecosystem is not as exclusive as iOS. In latter, it is hard for app developers to support older versions, due to the way Apple implements their SDK. This leads even big companies like Whatsapp to only support recent iOS versions. For example, Whatsapp will only support iOS 15.1 as of today. This iOS version is only three years old, any device who does not receive an iOS upgrade will not be able to run Whatsapp on older devices, even if it’s already installed. It will cease to function: https://faq.whatsapp.com/1150261202542208
However, in Android this has not yet happened. But it could very well happen, even quite soon. With all the changes Google did in the past, the ecosystem only got worse from the perspective of freedom: as more and more System apps (e.g. Mail, Calender, etc.) were no longer open source, but became proprietary; more and more function were made part of “Google Play Services” without the option for alternative implementations (e.g. many apps supporting barcode scanning due so via GPS only).
Microsoft, as another example in the industry, intentionally ditched support for ‘older hardware’ in a move to appease OEM hardware vendors.
I did not want to sound too alarming, but in the future we might a similar behavior regarding Android SDK, making it harder for developers to support older API levels. Google may force people deeper into their ecosystem, while Smartphone vendors can accelerate sales for replacement devices.
So, generally, if possible, it would be very great if Mudita could make the effort to upgrade to iOS 15 in the near future, ensuring that our device will be supported for a longer time, as @eden pointed out.

@pang840 (if you begin typing your username e.g. ‘@pan’ you’ll see the username I mentioned. I was addressing my comment to you when that name appeared. Anyway, let’s not digress.)

On to the issue, so in short, just as Apple keeps its herd of users updating and buying newer phones, Google dropping OS security support acts as similar motivation for App developers to drop older versions of Android. But can the hardware of the Mudita Kompact handle Android 13/14/15? OSes become more demanding each year. Three years feels like quite a long time.

@petemeister I didn’t notice, because obviously I hardly have a need to mention myself
Android upgrades are not so much about hardware performance, but rather about driver support of all the specialized hardware parts involved, most prominently, of course the chipset. Mudita would need their supplier to support the upgrade, it would be impossible to achieve anything without this. Let’s wait and see.

Ah, yes, but aren’t there licensing costs involved for chipsets to use Android? (I’m still new to Android.)

There has been a lot of discussion around this topic, so I just wanted to make sure we’re all on the same page:

Our Approach to Security in MuditaOS K
MuditaOS K is a custom-built operating system, intentionally designed to be minimal and secure.
While, YES, it is based on AOSP 12, we’ve made substantial modifications, in-house, so that it aligns with our goals for privacy and mindful technology use.

That said, we understand that security is an ongoing priority for our users. That’s why continuously monitor for potential concerns by drawing from AOSP 12, as well as newer versions among other sources. We then carefully assess their relevance to our system. When needed, we will apply necessary updates to ensure the integrity of MuditaOS K.

We believe that this process reflects our long-term commitment to building a secure and privacy-respecting operating system, tailored to the specific architecture of our devices.

I did note that you’re planning to support at least 3 years of software and security updates which is good ( a nice middle ground for a small company competing against these mega corporations ). i would really love at some point when everythings shipped some more detail from the your team on their approach (as i mentioned before a blog or something) it would be really great to see how they’re looking to approach it, what the plans might be i.e. AOSP 13 perhaps? if they plan to open source the OS like i believe you did with the Pure phone and MuditaOS

(on a side note, despite my phone being a few miles away in a van still, im already very tempted to make a couple of very simple ‘designed for eink’ apps for the Kompakt no idea if Mudita has considered 3rd party Mudita focused apps? but id love so much to hear more about Mudita thoughts on the roadmap of the software, security, and apps going forward and the more on the philosophy on the phone and the future they see with it)

Realistically unless Mudita backported security updates that Google developers were pushing to Android 13 ASOP there is very little chance that a small company would be able to address any security vulnerabilities found on Android 12 on their own.

I think the devs would agree that rebasing their patches from 12 to 13 or likely Android 14 will be far less effort than attempting to downstream security updates if the idea is to provide updates for a few years.

This is my hope as well, there’s a bit of work for them to shift to AOSP 13 (or likely better to shift to 14), but it brings much better long term support for the OS at little long term cost. they’ve promised at least 3 years of security updates, really the best way to do that is likely a move to android 14 as you say.

i understand why it released on 12 as they were likely developing for this when they were building the system, but ill be a bit concerned if they dont look at rebasing to 13/14

worth noting as well AOSP 13 is basically already EOL and dead as well, its unlikely to get updates past the end of this year so re-basing to AOSP 13 would (imo) be a pointless move. 14 at minimum is likely the only option

From sw dev perspective, is there much difference if the efforts are made towards AOSP 13, 14, or 16?

its google (lead by) who get security advisories for android, google who make fixes for them and pushes them to AOSP which is the open source android OS. without support from them to maintain these versions then Mudita would have to support security related issues with the core OS. thats no small task, and it assumes mudita has the expertise to be able to at minimum backport, test and maintain their own OS level security fixes to any potential OS component within a reasonable timeframe that doesn’t put users at risk.

maybe thats what they’ll do, but there’s a reason no one tends to do this except enterprise level companies like RedHat

Yeah I mean if clearly upgrading AOSP is a good move, would it be much different which version they chose for migration? If 15 is the latest, or 16 is soon to be the latest, why not straight to the latest but 13 or 14 instead? I’m trying to grasp any underlying challenge of the upgrade process out of curiosity.

There might be hardware/chip incompatibilities (maybe not?) but the other issue is that the newer Android versions require more and more base RAM for whatever it is Google is bundling (AI? animations?) So, going lower might avoid the need to reconfigure that.

secupd480×800 13.5 KB

And I found the Testing Software that actually shows the date of the Security Patch. It’s October 5, 2022. Which is pretty ok for a SOC this old, but still not a good look since we’re in 2025.

@urszula @Michal_Kicinski We’re still waiting for some direction if we can expect any more recent security updates.

@gezimos I’ve asked our team for some specifics. I’m waiting for info.