[guardian-dev] Popularity of Gingerbread

Michael Rogers michael at briarproject.org
Fri Aug 5 12:32:45 EDT 2016 

Chris, I think this is a really good question that goes to the heart of
what the community working on information security for activists and
journalists is trying to achieve.

We have to find a balance between encouraging users to improve their
overall security, and reaching as many users as possible. If we take a
hardline stance that we'll only support CopperheadOS, or Nexus devices
with the latest monthly security patch, or as-yet-nonexistent devices
with fully free hardware and software, we'll exclude most of the people
we want to help. On the other hand, if we don't pay any attention to the
wider security context in which our tools are used, we'll build steel
doors for cardboard houses and maybe harm people by giving them a false
sense of security. (Although to be honest, I've never met an activist
with a false sense of security.)

The compromise that I'm personally comfortable with is to provide
software that runs on old devices while also encouraging people to use
new, regularly patched devices if they can. But we have to stop
supporting old devices eventually because the effort becomes
disproportionate to the benefit. The ever-diminishing security of those
old devices is one factor in that benefit calculation, and the
ever-diminishing number of users is another.

Cheers,
Michael

On 03/08/16 21:41, Chris Ballinger wrote:
> Isn't it a security risk to support users on vulnerable versions of
> Android? If users need the protection of Tor or other tools, then
> supporting users on a vulnerable OS could do more harm than good by
> giving people a false sense of security. For example, isn't there a RCE
> for pre-4.4 WebView that could be exploited by malicious exit nodes when
> visiting HTTP sites?
> 
> On Mon, Aug 1, 2016 at 11:47 AM, Hans-Christoph Steiner
> <hans at guardianproject.info <mailto:hans at guardianproject.info>> wrote:
> 
> 
> 
>     Michael Rogers:
>     > On 01/08/16 16:50, Nathan of Guardian wrote:
>     >> Three years ago in Thailand, I bought a $50USD 6 inch wifi only
>     tablet
>     >> device running 4.0 ICS. I also bought a $100USD smartphone running
>     >> 2.3.6, which seemed to be the last of its kind.
>     >>
>     >> We do still see support requests for Orbot users still running 2.3.x
>     >> from time to time, and are working at adding support back in to
>     SDK 10
>     >> and pre-PIE devices. Supporting SDK 8/9/10 is more of a gesture
>     towards
>     >> leaving no user behind, than a practical necessity.
>     >>
>     >> Another way to look at it is, if you have limited resources and
>     need to
>     >> balance building a storage, network and battery efficient app, versus
>     >> supporting old APIs/OSes, I would say that the former is a better
>     use of
>     >> time and skills.
>     >
>     > I'll take that advice, thanks Nathan!
>     >
>     > Cheers,
>     > Michael
> 
>     To second what Nathan said, for Briar, I'd recommend setting at least
>     android-16 as the minimum.  Its a fair amount more effort to support the
>     older versions.
> 
>     .hc
> 
>     --
>     PGP fingerprint: EE66 20C7 136B 0D2C 456C  0A4D E9E2 8DEA 00AA 5556
>     https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556
>     _______________________________________________
>     List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>     To unsubscribe, email:  guardian-dev-unsubscribe at lists.mayfirst.org
>     <mailto:guardian-dev-unsubscribe at lists.mayfirst.org>
> 
> 
> 
> 
> _______________________________________________
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
> To unsubscribe, email:  guardian-dev-unsubscribe at lists.mayfirst.org
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x9FC527CC.asc
Type: application/pgp-keys
Size: 4660 bytes
Desc: not available
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20160805/d255fc12/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20160805/d255fc12/attachment.sig>

More information about the guardian-dev mailing list