A quick update on the latest release of Orbot. As somewhat expected, there was a certain amount of negative feedback to the new permissions that were added for the Hidden Service features, since they sound very scary to average users (access my phone ID, read my photos, etc), especially those interested in anonymity. I didn't do a very good job of warning people about these changes, mostly because I was trying to get the update out quickly for a security fix.
There was some discussion online, where some people even though that Orbot might be compromised (Thanks to Commonsware / Mark for responding on this thread): https://security.stackexchange.com/questions/161530/is-orbot-android-tor-client-compromised-permissions-to-device-id-and-caller-inf I think the problem is mostly on Android 5.1 and below (SDK 16-22), since these are new required permissions, and the user cannot deny them at runtime, as you can with Android 6+ (23+). To address this, I've decided to create two flavors of Orbot, one for SDK 16 - 23 (more on that in a second), and one for 23+. For the lower "minimalperm" flavor, I have remove the new permissions that were being requested for the advanced hidden service features, and also hidden the menu option in the app. As the new (amazing and awesome) new Hidden Service features are really for advanced users, I don't have an issue limiting them to newer version of Android and more modern devices. As a side note, I originally targeted the minimalperm flavor at maxSDK 22 and changed the targetSDK down to 22 from 23. This caused issues though on Google Play, warning about a permission downgrade problem. Thus, I changed the minimalperm release to maxSDK23 and targetSDK 23, while also having the fullperm flavor start at SDK 23 and target SDK 25. Somehow that all worked properly, with no users ending up getting a downgrade of SDK versions and permissions. You can find the release tagged and changelog here, on our website /releases folder, and otherwise, should see it on Play and F-Droid soon: https://github.com/n8fr8/orbot/releases/tag/15.4.2-RC-1-multi +n -- Nathan of Guardian [email protected] _______________________________________________ List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To unsubscribe, email: [email protected]
