I’m considering continuing to rely on OF3. Part of this consider includes thinking about the security implications, as I imagine OF3 will not get minor/patch updates now that OF4 has a stable release channel.
If, on balance, OF3 is best left behind, I have access to OF4. Migration definitely an option. The Omni folks have made migration seamless, for which I’m grateful. Migration friction is not why I’m considering continuing to rely on OF3.
This is what I have reasoned so far:
- I don’t run scripts on OF3.
No further updates to OF3 suggests the embedded JS interpreter would not get updates to sanitize potentially dangerous code. As I don’t run scripts, I’m discounting this downside of using a deprecated app.
- Native mobile apps are sandboxed, and patching for vulnerabilities, afaik, is mostly at the OS level for Apple’s mobile devices.
The sandboxing is intended to keep apps from interacting with each other. And the OS patches vulnerabilities. While my OS continues to get patches from Apple, I’m discounting downsides of OF3 not getting patches anymore. Didn’t find any CVEs mentioning OF3.
Any oversights in what I wrote above? Any tips on what else I should consider? Thanks, folks!