.... says the iOS developer :) We play with the cards we are dealt over here in Droidville. When we can avoid vulnerabilities we do. I agree, relying on WebView is a bad idea, and we have actively avoided doing that for the very reason you mention. Similarly we compile in our versions of OpenSSL into Orbot, or don't trust the built CA cert sets, for the same reasons.
+n On Wed, Aug 3, 2016, at 04:41 PM, Chris Ballinger wrote: > Isn't it a security risk to support users on vulnerable versions of > Android? If users need the protection of Tor or other tools, then > supporting users on a vulnerable OS could do more harm than good by > giving > people a false sense of security. For example, isn't there a RCE for > pre-4.4 WebView that could be exploited by malicious exit nodes when > visiting HTTP sites? > > On Mon, Aug 1, 2016 at 11:47 AM, Hans-Christoph Steiner < > [email protected]> wrote: > > > > > > > Michael Rogers: > > > On 01/08/16 16:50, Nathan of Guardian wrote: > > >> Three years ago in Thailand, I bought a $50USD 6 inch wifi only tablet > > >> device running 4.0 ICS. I also bought a $100USD smartphone running > > >> 2.3.6, which seemed to be the last of its kind. > > >> > > >> We do still see support requests for Orbot users still running 2.3.x > > >> from time to time, and are working at adding support back in to SDK 10 > > >> and pre-PIE devices. Supporting SDK 8/9/10 is more of a gesture towards > > >> leaving no user behind, than a practical necessity. > > >> > > >> Another way to look at it is, if you have limited resources and need to > > >> balance building a storage, network and battery efficient app, versus > > >> supporting old APIs/OSes, I would say that the former is a better use of > > >> time and skills. > > > > > > I'll take that advice, thanks Nathan! > > > > > > Cheers, > > > Michael > > > > To second what Nathan said, for Briar, I'd recommend setting at least > > android-16 as the minimum. Its a fair amount more effort to support the > > older versions. > > > > .hc > > > > -- > > PGP fingerprint: EE66 20C7 136B 0D2C 456C 0A4D E9E2 8DEA 00AA 5556 > > https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556 > > _______________________________________________ > > List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev > > To unsubscribe, email: [email protected] > > > _______________________________________________ > List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev > To unsubscribe, email: [email protected] -- Nathan of Guardian [email protected] _______________________________________________ List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To unsubscribe, email: [email protected]
