Chris, I think this is a really good question that goes to the heart of what the community working on information security for activists and journalists is trying to achieve.
We have to find a balance between encouraging users to improve their overall security, and reaching as many users as possible. If we take a hardline stance that we'll only support CopperheadOS, or Nexus devices with the latest monthly security patch, or as-yet-nonexistent devices with fully free hardware and software, we'll exclude most of the people we want to help. On the other hand, if we don't pay any attention to the wider security context in which our tools are used, we'll build steel doors for cardboard houses and maybe harm people by giving them a false sense of security. (Although to be honest, I've never met an activist with a false sense of security.) The compromise that I'm personally comfortable with is to provide software that runs on old devices while also encouraging people to use new, regularly patched devices if they can. But we have to stop supporting old devices eventually because the effort becomes disproportionate to the benefit. The ever-diminishing security of those old devices is one factor in that benefit calculation, and the ever-diminishing number of users is another. Cheers, Michael On 03/08/16 21:41, Chris Ballinger wrote: > Isn't it a security risk to support users on vulnerable versions of > Android? If users need the protection of Tor or other tools, then > supporting users on a vulnerable OS could do more harm than good by > giving people a false sense of security. For example, isn't there a RCE > for pre-4.4 WebView that could be exploited by malicious exit nodes when > visiting HTTP sites? > > On Mon, Aug 1, 2016 at 11:47 AM, Hans-Christoph Steiner > <h...@guardianproject.info <mailto:h...@guardianproject.info>> wrote: > > > > Michael Rogers: > > On 01/08/16 16:50, Nathan of Guardian wrote: > >> Three years ago in Thailand, I bought a $50USD 6 inch wifi only > tablet > >> device running 4.0 ICS. I also bought a $100USD smartphone running > >> 2.3.6, which seemed to be the last of its kind. > >> > >> We do still see support requests for Orbot users still running 2.3.x > >> from time to time, and are working at adding support back in to > SDK 10 > >> and pre-PIE devices. Supporting SDK 8/9/10 is more of a gesture > towards > >> leaving no user behind, than a practical necessity. > >> > >> Another way to look at it is, if you have limited resources and > need to > >> balance building a storage, network and battery efficient app, versus > >> supporting old APIs/OSes, I would say that the former is a better > use of > >> time and skills. > > > > I'll take that advice, thanks Nathan! > > > > Cheers, > > Michael > > To second what Nathan said, for Briar, I'd recommend setting at least > android-16 as the minimum. Its a fair amount more effort to support the > older versions. > > .hc > > -- > PGP fingerprint: EE66 20C7 136B 0D2C 456C 0A4D E9E2 8DEA 00AA 5556 > https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556 > _______________________________________________ > List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev > To unsubscribe, email: guardian-dev-unsubscr...@lists.mayfirst.org > <mailto:guardian-dev-unsubscr...@lists.mayfirst.org> > > > > > _______________________________________________ > List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev > To unsubscribe, email: guardian-dev-unsubscr...@lists.mayfirst.org >
0x9FC527CC.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To unsubscribe, email: guardian-dev-unsubscr...@lists.mayfirst.org