cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marcel Kinard <cmarc...@gmail.com>
Subject Re: [Android] SecureToken/NoFrak feature addition
Date Fri, 31 Jan 2014 18:01:56 GMT

On Jan 30, 2014, at 6:16 PM, Joe Bowser <bowserj@gmail.com> wrote:

> * Drop support for Android 2.3.x - I don't care if it's 20% of the
> market, if an insecure 20% and people need to stop targeting it
> because of how insecure it is.  We can't fix it, and Google and
> handset makers have no interest in fixing it either.  It's the IE6 of
> Mobile, and Android 2.3.x needs to die.  (In hindsight, I feel bad for
> giving a friend of mine my old HTC Desire HD. :( )

-1. I'd use stronger number if I could. I agree that 2.3 being insecure makes it even more
of a pain, and it is the IE6 of mobile, and should die. But it's 20% of the market and we
aren't able to kill it. I was in the grocery store this week and stopped to look at the no-contract
phones there, and every single new Android phone was shipping with 2.3. New phones, yeah.
If we drop support for 2.3 then we put app developers between a rock and a hard place, and
give them a reason to not use Cordova. I don't think that is what our mission is. 

If an app doesn't load 3rd-party ads or similar risky behavior, then we would be prematurely
limiting them.

If the usage was 6% of the market, then I'd probably have a different response.

So I'd suggest that we continue support for 2.3, and communicate very clearly to app developers
what the risks are with 2.3 and let *them* decide if their apps should run on 2.3 or if minsdk
needs to be higher.

> * Drop support for Cordova 2.9 - I think we're at the six month window
> for this already, and we've only issued one point release after 2.9.0.

+1. As you pointed out, we haven't been very active at fixing defects there. We really are
focused at putting commits only on master. The 6 months we promised have expired, let's just
let 2.9 officially go inactive.

> * Implement NoFrak as a configurable option for people who aren't
> scared of the lack of certificate pinning

I'm not familiar with the implementation, but does it need to be configurable, or should it
just have a fixed value? Unless there is a good use case for multiple values, just be prescriptive
and keep the overall config simpler.

> * Remove support for addJavascriptInterface for any platform that uses
> NoFrak below Jellybean and force them to use prompt

In principle, this sounds reasonable, along with Ian's suggestion to maybe be a bit more aggressive
in the removal. The MWR article does scare me.
Mime
View raw message