[guardian-dev] Popularity of Gingerbread

Nathan of Guardian nathan at guardianproject.info
Wed Aug 3 17:12:03 EDT 2016


.... says the iOS developer :)

We play with the cards we are dealt over here in Droidville. When we can
avoid vulnerabilities we do. I agree, relying on WebView is a bad idea,
and we have actively avoided doing that for the very reason you mention.
Similarly we compile in our versions of OpenSSL into Orbot, or don't
trust the built CA cert sets, for the same reasons.

+n

On Wed, Aug 3, 2016, at 04:41 PM, Chris Ballinger wrote:
> Isn't it a security risk to support users on vulnerable versions of
> Android? If users need the protection of Tor or other tools, then
> supporting users on a vulnerable OS could do more harm than good by
> giving
> people a false sense of security. For example, isn't there a RCE for
> pre-4.4 WebView that could be exploited by malicious exit nodes when
> visiting HTTP sites?
> 
> On Mon, Aug 1, 2016 at 11:47 AM, Hans-Christoph Steiner <
> hans at guardianproject.info> wrote:
> 
> >
> >
> > Michael Rogers:
> > > On 01/08/16 16:50, Nathan of Guardian wrote:
> > >> Three years ago in Thailand, I bought a $50USD 6 inch wifi only tablet
> > >> device running 4.0 ICS. I also bought a $100USD smartphone running
> > >> 2.3.6, which seemed to be the last of its kind.
> > >>
> > >> We do still see support requests for Orbot users still running 2.3.x
> > >> from time to time, and are working at adding support back in to SDK 10
> > >> and pre-PIE devices. Supporting SDK 8/9/10 is more of a gesture towards
> > >> leaving no user behind, than a practical necessity.
> > >>
> > >> Another way to look at it is, if you have limited resources and need to
> > >> balance building a storage, network and battery efficient app, versus
> > >> supporting old APIs/OSes, I would say that the former is a better use of
> > >> time and skills.
> > >
> > > I'll take that advice, thanks Nathan!
> > >
> > > Cheers,
> > > Michael
> >
> > To second what Nathan said, for Briar, I'd recommend setting at least
> > android-16 as the minimum.  Its a fair amount more effort to support the
> > older versions.
> >
> > .hc
> >
> > --
> > PGP fingerprint: EE66 20C7 136B 0D2C 456C  0A4D E9E2 8DEA 00AA 5556
> > https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556
> > _______________________________________________
> > List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
> > To unsubscribe, email:  guardian-dev-unsubscribe at lists.mayfirst.org
> >
> _______________________________________________
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
> To unsubscribe, email:  guardian-dev-unsubscribe at lists.mayfirst.org


-- 
  Nathan of Guardian
  nathan at guardianproject.info


More information about the guardian-dev mailing list