[guardian-dev] Orbot updates, permissions and flavors

Nathan of Guardian nathan at guardianproject.info
Fri Jun 9 10:22:39 EDT 2017


A quick update on the latest release of Orbot. As somewhat expected,
there was a certain amount of negative feedback to the new permissions
that were added for the Hidden Service features, since they sound very
scary to average users (access my phone ID, read my photos, etc),
especially those interested in anonymity. I didn't do a very good job of
warning people about these changes, mostly because I was trying to get
the update out quickly for a security fix. 

There was some discussion online, where some people even though that
Orbot might be compromised (Thanks to Commonsware / Mark for responding
on this thread):
https://security.stackexchange.com/questions/161530/is-orbot-android-tor-client-compromised-permissions-to-device-id-and-caller-inf

I think the problem is mostly on Android 5.1 and below (SDK 16-22),
since these are new required permissions, and the user cannot deny them
at runtime, as you can with Android 6+ (23+). 

To address this, I've decided to create two flavors of Orbot, one for
SDK 16 - 23 (more on that in a second), and one for 23+. For the lower
"minimalperm" flavor, I have remove the new permissions that were being
requested for the advanced hidden service features, and also hidden the
menu option in the app. As the new (amazing and awesome) new Hidden
Service features are really for advanced users, I don't have an issue
limiting them to newer version of Android and more modern devices.

As a side note, I originally targeted the minimalperm flavor at maxSDK
22 and changed the targetSDK down to 22 from 23. This caused issues
though on Google Play, warning about a permission downgrade problem.
Thus, I changed the minimalperm release to maxSDK23 and targetSDK 23,
while also having the fullperm flavor start at SDK 23 and target SDK 25.
Somehow that all worked properly, with no users ending up getting a
downgrade of SDK versions and permissions.

You can find the release tagged and changelog here, on our website
/releases folder, and otherwise, should see it on Play and F-Droid soon:
https://github.com/n8fr8/orbot/releases/tag/15.4.2-RC-1-multi

+n


-- 
  Nathan of Guardian
  nathan at guardianproject.info


More information about the guardian-dev mailing list