Discussion around minimal SDK version
We have been increasing the minimum Android SDKs over time. We started off with 21 (Android 5) and now are at Android 7 as the minimum requirement. Thus far, the reason we have been increasing it was due to technical requirements.
At the meeting today, there was some discussion around this point that didn't get fully addressed, so I thought we should open an issue to think through the different possibilities.
The reason we haven't increased the minimum SDK further is because there is no technical requirement to increase it now. The thinking has been: If we are trying to target as many phone users as possible (not just those who can afford newer phones), then raising the SDK requirement would prevent nearly half of Android devices worldwide from running the Tor VPN (approximately 49.9% of device owners, according to https://composables.com/android-distribution-chart -- I don't know if you can believe these numbers or not). Of course if you are using an older phone you are more prone to security issues, on the other hand, the Tor VPN will still be able to be used to route traffic and it would provide better protection than would result from keeping people from using our software until they buy a newer phone.
This is why people have been monitoring SDK versions for critical security vulnerabilities that affect our code and then update when those happen, but not increasing the minimum SDK version arbitrarily, as this keeps people from benefiting from the protections that Tor VPN brings.
However, there was discussion today at the meeting, eg. from @mikeperry that this may not be the right way to think about this, and I wanted to open this issue to think through the different approaches. If possible, coming up with an uniform approach that we can use for our Android products in general, would be ideal.