Security implications of continuing to use OF3

I’m considering continuing to rely on OF3. Part of this consider includes thinking about the security implications, as I imagine OF3 will not get minor/patch updates now that OF4 has a stable release channel.

If, on balance, OF3 is best left behind, I have access to OF4. Migration definitely an option. The Omni folks have made migration seamless, for which I’m grateful. Migration friction is not why I’m considering continuing to rely on OF3.

This is what I have reasoned so far:

1. I don’t run scripts on OF3.

No further updates to OF3 suggests the embedded JS interpreter would not get updates to sanitize potentially dangerous code. As I don’t run scripts, I’m discounting this downside of using a deprecated app.

2. Native mobile apps are sandboxed, and patching for vulnerabilities, afaik, is mostly at the OS level for Apple’s mobile devices.

The sandboxing is intended to keep apps from interacting with each other. And the OS patches vulnerabilities. While my OS continues to get patches from Apple, I’m discounting downsides of OF3 not getting patches anymore. Didn’t find any CVEs mentioning OF3.

Any oversights in what I wrote above? Any tips on what else I should consider? Thanks, folks!

Security is one concern, but there could be a time where OF3 no longer works with the current OS. So you’d either need to stay on an older OS to keep it working which could have its own security concerns.

If you use the syncing feature, there could be a point where due to security concerns it no longer works with older versions of OF which are no longer receiving patches.

Yes, indeed. Pinning a deprecated OS for convenience is not worth doing in the current state of threats. Thanks for explicitly calling this out.