If we were the driving force keeping people on old phones, then yes it would be bad. I think our support of old phones barely registers when people are making the decision to use an old phone that is not updated. Money is probably the biggest factor, then the time it takes to make changes.
Since security is never binary black/white, raising the bar even on devices with known exploits is worthwhile. It can add enough difficulty that is makes it no longer worth it for the attacker. For example, doing things like forcing more TLS use, and forcing the use of better TLS settings, that helps protect against network observers no matter how old the phone. .hc Nathan of Guardian: > .... says the iOS developer :) > > We play with the cards we are dealt over here in Droidville. When we can > avoid vulnerabilities we do. I agree, relying on WebView is a bad idea, > and we have actively avoided doing that for the very reason you mention. > Similarly we compile in our versions of OpenSSL into Orbot, or don't > trust the built CA cert sets, for the same reasons. > > +n > > On Wed, Aug 3, 2016, at 04:41 PM, Chris Ballinger wrote: >> Isn't it a security risk to support users on vulnerable versions of >> Android? If users need the protection of Tor or other tools, then >> supporting users on a vulnerable OS could do more harm than good by >> giving >> people a false sense of security. For example, isn't there a RCE for >> pre-4.4 WebView that could be exploited by malicious exit nodes when >> visiting HTTP sites? >> >> On Mon, Aug 1, 2016 at 11:47 AM, Hans-Christoph Steiner < >> [email protected]> wrote: >> >>> >>> >>> Michael Rogers: >>>> On 01/08/16 16:50, Nathan of Guardian wrote: >>>>> Three years ago in Thailand, I bought a $50USD 6 inch wifi only tablet >>>>> device running 4.0 ICS. I also bought a $100USD smartphone running >>>>> 2.3.6, which seemed to be the last of its kind. >>>>> >>>>> We do still see support requests for Orbot users still running 2.3.x >>>>> from time to time, and are working at adding support back in to SDK 10 >>>>> and pre-PIE devices. Supporting SDK 8/9/10 is more of a gesture towards >>>>> leaving no user behind, than a practical necessity. >>>>> >>>>> Another way to look at it is, if you have limited resources and need to >>>>> balance building a storage, network and battery efficient app, versus >>>>> supporting old APIs/OSes, I would say that the former is a better use of >>>>> time and skills. >>>> >>>> I'll take that advice, thanks Nathan! >>>> >>>> Cheers, >>>> Michael >>> >>> To second what Nathan said, for Briar, I'd recommend setting at least >>> android-16 as the minimum. Its a fair amount more effort to support the >>> older versions. >>> >>> .hc >>> >>> -- >>> PGP fingerprint: EE66 20C7 136B 0D2C 456C 0A4D E9E2 8DEA 00AA 5556 >>> https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556 >>> _______________________________________________ >>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev >>> To unsubscribe, email: [email protected] >>> >> _______________________________________________ >> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev >> To unsubscribe, email: [email protected] > > -- PGP fingerprint: EE66 20C7 136B 0D2C 456C 0A4D E9E2 8DEA 00AA 5556 https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556 _______________________________________________ List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To unsubscribe, email: [email protected]
