Is not keeping dependencies up to date a good approach for a privacy and security project ?

[ghost]

Is there an existing issue for this?

• [X] I have searched the existing issues

Bug description

Disclaimers:

• I know this section is not the right one. I tried to reach you using Matrix, but on my IPad (with lockdown mode) both Element and Element X are unbearable and completely unusable (I can’t even search for rooms).

• By writing this “issue”, I’m not implying that the project is not secure nor the developers should not be trusted. I’m simply asking a question!

So, I saw a commit made by valldrac that downgrade a third party library (Jackson) from 15.3 to 13.5 in order to keep compatibility with Android Nougat (for reference: https://github.com/mollyim/mollyim-android/commit/4d3ba651b918c705fb145944966667def5e1de43)

According to Google, Android Nougat represents only the 2.6% of the total users (~ 3/100) (for reference: https://www.gizchina.com/2023/10/30/android-version-distribution/

Basically, about of 100 people, ~ three people are using a phone running Nougat.

Recently, Google removes support Nougat from Google Chrome due to the lack of users. (For reference: https://www.91mobiles.com/hub/google-chrome-end-support-android-nougat/)

My opinion: Molly is an hardened fork of Molly; as such, it should priorities security over usability, where possible. Supporting really old version of Android (which are very insecure because they lack proper hardware and security updates (I think this brings up issue #108) and downgrading libraries (which may have security vulnerabilities unpatched) seems counterintuitive since we are talking about a project who made a lot work in order to make it signal more secure.

So, what I wonder is: is this a right choice for Molly ? (Again, i’m just asking, I’m not implying nothing)

Steps to reproduce

No response

Molly version

v6.39.2-1

Android version

No response

Device

No response

Link to debug log

No response

[valldrac]

Thanks for your message! Got a few questions about this change. I want to clarify that the 2.13 branch of the Jackson library is still being maintained, and version 2.13.5 is free from any known vulnerabilities. You can check it out yourself here: https://github.com/FasterXML/jackson/wiki/Jackson-Releases. Note that Signal is using an older version, 2.12.0.

It's true that the maintenance cycle is winding down for 2.13. Because of this and a few other reasons, we're gonna increase the minimum Android version requirement to 8.0 very soon.

One aspect to consider in security is availability. We could have kept the latest version 2.15.3, but that would have left Molly users on Android 7 and 7.1 unable to migrate. The app crashed on startup, and they wouldn't be able to back up their data.

Regarding supporting old Android versions, check out my comment at https://github.com/mollyim/mollyim-android/issues/108#issuecomment-1272499853.