On Jan 30, 2014, at 6:16 PM, Joe Bowser <[email protected]> wrote: > * Drop support for Android 2.3.x - I don't care if it's 20% of the > market, if an insecure 20% and people need to stop targeting it > because of how insecure it is. We can't fix it, and Google and > handset makers have no interest in fixing it either. It's the IE6 of > Mobile, and Android 2.3.x needs to die. (In hindsight, I feel bad for > giving a friend of mine my old HTC Desire HD. :( )
-1. I'd use stronger number if I could. I agree that 2.3 being insecure makes it even more of a pain, and it is the IE6 of mobile, and should die. But it's 20% of the market and we aren't able to kill it. I was in the grocery store this week and stopped to look at the no-contract phones there, and every single new Android phone was shipping with 2.3. New phones, yeah. If we drop support for 2.3 then we put app developers between a rock and a hard place, and give them a reason to not use Cordova. I don't think that is what our mission is. If an app doesn't load 3rd-party ads or similar risky behavior, then we would be prematurely limiting them. If the usage was 6% of the market, then I'd probably have a different response. So I'd suggest that we continue support for 2.3, and communicate very clearly to app developers what the risks are with 2.3 and let *them* decide if their apps should run on 2.3 or if minsdk needs to be higher. > * Drop support for Cordova 2.9 - I think we're at the six month window > for this already, and we've only issued one point release after 2.9.0. +1. As you pointed out, we haven't been very active at fixing defects there. We really are focused at putting commits only on master. The 6 months we promised have expired, let's just let 2.9 officially go inactive. > * Implement NoFrak as a configurable option for people who aren't > scared of the lack of certificate pinning I'm not familiar with the implementation, but does it need to be configurable, or should it just have a fixed value? Unless there is a good use case for multiple values, just be prescriptive and keep the overall config simpler. > * Remove support for addJavascriptInterface for any platform that uses > NoFrak below Jellybean and force them to use prompt In principle, this sounds reasonable, along with Ian's suggestion to maybe be a bit more aggressive in the removal. The MWR article does scare me.
