EDIT: I kinda wish replies were more obvious, I 100% think this is an issue, the first bit is just a reply to a previous comment before starting on a tangent.
This is mostly a non-issue, Google doesn’t include most of their magic sauce in the open source AOSP image these are based on. I have a Google Pixel 2 from 2017 that I’ve installed an Android 14 GSI image (from Project Treble, another Google project to help standardize the base image to make it easier for people like Mudita to make a custom image) on and it runs perfectly fine because you’re getting the absolute bare bones to get a phone booted up. Project Treble was announced in 2017, so if Mudita built to this standard then while it would take considerable effort, it wouldn’t require rebuilding an entirely custom OS to update. If Mudita did not build with Project Treble in mind, they did themselves and their customers a great disservice regarding the ease of maintaining future updates.
I’ve been on the hunt a good while looking for a device that checks all the boxes the MK does, being limited to keep me off of it but capable enough to enable me to get things done. So maybe in my excitement I missed where it said somewhere that it was build in Android 12 but if I had caught that I would have passed on it with great disappointment as another device that was so close to perfect. After goofing around with sideloading a different launcher and seeing how much of the base AOSP ROM is hanging out in the background, I don’t think all the people claiming that it doesn’t have X or Y have any idea they’re most likely just as vulnerable as anyone else as it would indeed be a huge lift for Mudita to bear the weight of pushing their own security updates instead of “just” updating the base to a newer version.
Having said all that, I own the device now and I’m going to keep it, really rooting for Mudita to quell the paranoia of myself and others but if they don’t I’ll probably end up attempting to install a newer GSI image myself (it will go poorly, I am under no delusions that I could do better than Mudita, I write code for my basic needs but I am no dev, but it’ll be fun regardless).
I’m sorry to be the bearer of bad news but if you’re relying on me in any way you should return it while you have a chance lol. I’d really like to be able to reverse engineer and maintain a device that well, I’m working on going back to school in order to assist in doing so, but IF I get anything booted on it within the next couple years I can guarantee it won’t be anything you’ll want to actually use or depend on
Sorry to keep nagging on this but the silence is quite concerning. Device security should be a top priority these days, so this could be a deal breaker for me personally.
I very much appreciate this, but to be fully convinced I’d like to hear more details. Who are “we”? Do you have a person dedicated to security, with skills to implement security patches that Google doesn’t provide for A12 anymore? How do you monitor potential concerns?
I understand that the idea might be that a minimalist phone doesn’t store that much sensitive information and the “attack surface” is quite minimal as well due to having fewer apps and features. But the thing is that it’s still an internet connected device with sensitive photos, messages and such. In the worst case, a vulnerable device can expose the entire home network if it’s connected to wifi.
I know there’s a lot going on with the upcoming updates, but I think this is super important and hope that Mudita can address this with a more detailed description of security practises
No, I don’t think they have anyone dealing in security.
Just look at a the spam in the forum that happens every day. A simple captcha would fix this but they still wont, and it’s been happening for months now.
@gezimos Our team is working on implementing some changes to the forum which will cut down on the ability for random bots to post spam. However, it’s still in the works.
@urszula The point I was trying to make is that if something as basic as captcha to stop spam is taking so long to be fixed, I don’t have any high hopes if there’s an android 12 security issue that requires immediate attention.
@gezimos I’m sorry that our team is not able to get things done as fast as you would like them to be implemented. We are doing the best we can. That’s all I can say.
Here you have your ceo or director posting in the forum that has 2 SPAM topics under that topic.
It’s BAD OPTICS, and doesn’t scream confidence Security Wise to anyone that sees this.
If someone concerned about security they can’t believe your team saying they take security very seriously if it takes them months to tackle a simple Captcha in the forums.
@gezimos I understand the frustration, our forum tech team is aware of this.
However- regarding the image you posted: When did you take this screenshot? Those posts were deleted and users’ IP shortly after they were posted? Are you still seeing them now?
@urszula No this was 4-5 days ago, I just took the screenshot but forgot to post it.
My point back then was “This does’t look good in the eye of the potential buyer” even a buyer with non technical skills can notice such issues. And your team knows for other issues that I’ve reported privately.
Anyway sorry, please don’t spend too much time with my rambling. If I don’t have any questions you can just acknowledge the post like with a like (even if u don’t agree with me).
I received my phone last week, and I’m at a point where I really love it and would like to keep it, but feel that I may have to return it due to the security concerns discussed above.
The Mudita team has made some claims about how they will handle security above, but now that it has been a few months since Google stopped supporting Android 12, I figured it would be illuminating to look at just one specific vulnerability which has since been fixed in newer Android versions:
CVE‑2025‑27363
This is a vulnerability in the Android font rendering which allows arbitrary code execution with system-level privileges. This means that an attacker can view all files on the device, silently install software, control device settings, and potentially use the camera and microphone. This is quite serious, and is believed to be exploited in the wild. I appreciate the kompakt’s decreased surface area for attack, but this could be exploited by something as simple as loading a pdf with a malicious font into the e-reader.
So, a question for the Mudita team: Is this fixed in Mudita OS K? Or can you prove it was never vulnerable? If fixed, how long did it take between the vulnerability being made public and the update fixing it getting deployed to customer devices?
A quick update – I decided to return my device due to the concerns above, and lack of any reassuring response to my previous question. I do wish I could have waited longer to get a good answer on this, but I was at the end of my return window. If the Mudita team ends up demonstrating a solid commitment to security, I’d be really happy to re-order, as I really did love the device.
Thanks for the update, I totally understand your decision. I’ve decided to wait a bit longer to see if Mudita can walk the talk. I know they’re currently working hard on the next updates, and hopefully they can showcase some concrete actions taken towards securing the device. I loved your proposal for a concrete CVE to be addressed – I guess we’ll have to wait and see! I absolutely love the device too, so it would be a shame to have to give it up for this kinds of concerns
Would be cool if someone proficient in android hacking would make a proof of concept of using one of the (probably hundreds at this point) known CVEs for such old security patch and take over the device to do something like e.g. remotely receive 2fa SMS messages without user’s knowledge to show Mudita it is a real problem. We are a bit unlucky because there’s a new EU law requiring new phone manufacturers to provide a few years of security updates but Kompakt was released just before that…
the responses from @urszula have been disappointing at best - saying that Mudita cares about security is wildly different than showing they care about security which they really can’t do because the OS source isn’t available for review
even though i have a significant problem with the modem/baseband not being properly isolated from user-space, which means the device can never be trusted, i was reconsidering purchasing the Kompakt given the extremely limited choices available regarding security, however a read through this thread and the absence of any meaningful technical information from the developers have sealed the fate of the phone for me … no thanks
Maybe, after the 5 years of software and “security” updates are over, open sourcing or a different ROM entirely could be a way forward. Other than that I do enjoy the device and I am grateful for the community efforts, which mostly make it so
Other than that I do enjoy the device and I am grateful for the community efforts, which mostly make it so 