Project

General

Profile

Actions

Feature #793

closed

Bump the minimum API to 23

Added by Nima Hamidi over 2 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Next Release
Start date:
12/15/2021
Due date:
% Done:

0%

Estimated time:

Description

As you know, chrome increased its minimum sdk to 23 amd left lolipop based phones insecure.

(Latest version of android system webview and most chromium based browsers for lollipop was 95.x and they discontinued support for lollipop in 96.x)

So in absence of a secure webview (and because most phones that still are in lolipop can't switch to firefox because probably they are very low end (for example we have several phones with lollipop that are still in active usage by their owners in my relatives)

And recently again, a critical bug in chromium appeard:

https://www.ghacks.net/2021/12/14/google-releases-critical-security-update-for-chrome-that-fixes-a-0-day-vulnerability/

So if may, please use ypur privacy webview also for lollipop also.

Thank you very much.
Best regards.

Actions #1

Updated by Nima Hamidi over 2 years ago

Hello
Thank you for your great efforts.

As you know, chrome increased its minimum sdk to 23 amd left lolipop based phones insecure.

(Latest version of android system webview and most chromium based browsers for lollipop was 95.x and they discontinued support for lollipop in 96.x)

So in absence of a secure webview (and because most phones that still are in lolipop can't switch to firefox because probably they are very low end (for example we have several phones with lollipop that are still in active usage by their owners in my relatives)

And recently again, a critical bug in chromium appeard:

https://www.ghacks.net/2021/12/14/google-releases-critical-security-update-for-chrome-that-fixes-a-0-day-vulnerability/

So if may, please use ypur privacy webview also for lollipop also.

Thank you very much.
Best regards.

Actions #2

Updated by Soren Stoutner over 2 years ago

I was not aware of this, but it isn't surprising that Google is dropping support for older versions of Android as the maintenance burden to make it work with older versions increases with each year.

If this were easy to do I would happily do it. But, as Privacy WebView will be a rolling fork of Android's WebView that makes rather minor modifications to expose controls that exist in the WebView source code but are not available as public APIs, it won't be possible to support versions of Android that are older than what the upstream WebView supports. Doing so would require a team of programmers just working on Pirvacy WebView full time (probably on the order of several millions of dollars per year worth of labor) to backport features and security fixes into the older code base.

Actions #3

Updated by Soren Stoutner over 2 years ago

  • Subject changed from please add support of privacy webview for lollipop also. to Bump the minimum API to 23
  • Assignee set to Soren Stoutner
  • Priority changed from 4.x to Next Release

As I consider this, I should probably bump Privacy Browser's minimum API to 23. I have been considering dropping Android KitKat support for a while (API 29, Android 4.4). It can only run a really old version of WebView that is not secure by any stretch of the imagination. With the dropping of anything less than API 23, I think it makes sense to not lull users into a false sense of security in thinking that running Privacy Browser with an outdated WebView can protect them from the evils of the internet.

At any point you can see the minimum supported WebView API by clicking on the top entry of https://www.apkmirror.com/apk/google-inc/android-system-webview/.

As a side note, I have a very large amount of code in Privacy Browser that works around limitations in Android prior to API 23. Bumping the API would allow me to remove that code and would make things run smoother under the hood for all users.

Actions #4

Updated by Nima Hamidi over 2 years ago

Oh, I See.
I understand.
Thank you very much.

Actions

Also available in: Atom PDF