I think it would be the best that you check based on your user base if you need to support it or not.
Check you server logs for requests user agent and see how many *active* 2.x devices you still have. Or implement some analytic requests in your app to see that. That will answer all your questions while still respecting user privacy. I don't think it's worth making your life hard with that. Users nowadays wants functional and more and more beautiful and intuitive applications. Supporting pre-4 devices is pain in the ass for that. On Thu, Aug 4, 2016 at 9:23 AM Hans-Christoph Steiner < [email protected]> wrote: > > If we were the driving force keeping people on old phones, then yes it > would be bad. I think our support of old phones barely registers when > people are making the decision to use an old phone that is not updated. > Money is probably the biggest factor, then the time it takes to make > changes. > > Since security is never binary black/white, raising the bar even on > devices with known exploits is worthwhile. It can add enough difficulty > that is makes it no longer worth it for the attacker. For example, > doing things like forcing more TLS use, and forcing the use of better > TLS settings, that helps protect against network observers no matter how > old the phone. > > .hc > > Nathan of Guardian: > > .... says the iOS developer :) > > > > We play with the cards we are dealt over here in Droidville. When we can > > avoid vulnerabilities we do. I agree, relying on WebView is a bad idea, > > and we have actively avoided doing that for the very reason you mention. > > Similarly we compile in our versions of OpenSSL into Orbot, or don't > > trust the built CA cert sets, for the same reasons. > > > > +n > > > > On Wed, Aug 3, 2016, at 04:41 PM, Chris Ballinger wrote: > >> Isn't it a security risk to support users on vulnerable versions of > >> Android? If users need the protection of Tor or other tools, then > >> supporting users on a vulnerable OS could do more harm than good by > >> giving > >> people a false sense of security. For example, isn't there a RCE for > >> pre-4.4 WebView that could be exploited by malicious exit nodes when > >> visiting HTTP sites? > >> > >> On Mon, Aug 1, 2016 at 11:47 AM, Hans-Christoph Steiner < > >> [email protected]> wrote: > >> > >>> > >>> > >>> Michael Rogers: > >>>> On 01/08/16 16:50, Nathan of Guardian wrote: > >>>>> Three years ago in Thailand, I bought a $50USD 6 inch wifi only > tablet > >>>>> device running 4.0 ICS. I also bought a $100USD smartphone running > >>>>> 2.3.6, which seemed to be the last of its kind. > >>>>> > >>>>> We do still see support requests for Orbot users still running 2.3.x > >>>>> from time to time, and are working at adding support back in to SDK > 10 > >>>>> and pre-PIE devices. Supporting SDK 8/9/10 is more of a gesture > towards > >>>>> leaving no user behind, than a practical necessity. > >>>>> > >>>>> Another way to look at it is, if you have limited resources and need > to > >>>>> balance building a storage, network and battery efficient app, versus > >>>>> supporting old APIs/OSes, I would say that the former is a better > use of > >>>>> time and skills. > >>>> > >>>> I'll take that advice, thanks Nathan! > >>>> > >>>> Cheers, > >>>> Michael > >>> > >>> To second what Nathan said, for Briar, I'd recommend setting at least > >>> android-16 as the minimum. Its a fair amount more effort to support > the > >>> older versions. > >>> > >>> .hc > >>> > >>> -- > >>> PGP fingerprint: EE66 20C7 136B 0D2C 456C 0A4D E9E2 8DEA 00AA 5556 > >>> https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556 > >>> _______________________________________________ > >>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev > >>> To unsubscribe, email: [email protected] > >>> > >> _______________________________________________ > >> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev > >> To unsubscribe, email: [email protected] > > > > > > -- > PGP fingerprint: EE66 20C7 136B 0D2C 456C 0A4D E9E2 8DEA 00AA 5556 > https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556 > _______________________________________________ > List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev > To unsubscribe, email: [email protected] >
_______________________________________________ List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To unsubscribe, email: [email protected]
