2

I am new in an Android project that makes heavy use of a web API.

The project uses:

  • retrofit-1.9.0 and okhttp-2.0.0 for web API calls
  • also okhttp3-3.9.1 for some other web stuff

I would like to upgrade the libs to:

  • retrofit-2.3.0 and okhttp3-3.9.1

Beyond using the latest versions and having a single OKHttp version, I would like some really good reason to justify the upgrade.

That is because the new APIs don't seem to be backward compatible and it would require the effort of refactoring all web API calls, followed by extensive testing.

RumburaK
  • 1,985
  • 1
  • 21
  • 30
  • 2
    why don't you check the changelog of retrofit to decide if you need to upgrade? It's only you who knows any reason for you to upgrade? If you ask how I do - don't touch if it works. – Vladyslav Matviienko Jan 23 '18 at 21:38
  • The changelog is huge, and spans over 4-5 years. There have been many small incremental updates. However I was hoping an expert would be able to summarize the essential benefits in the general case. – RumburaK Jan 23 '18 at 22:00
  • 2
    Retrofit 1.9 is a mess, it causes a lot of memory leaks because there is no way to cancel a request and if you use it with RxJava, you'll have a lot of memory leaks issues. – insa_c Jan 23 '18 at 22:24

2 Answers2

2

There are several reasons to upgrade an Android network layer libraries set :

  • Security
  • Stability
  • Performance
  • Maintenance
  • And many others...

You can read changelogs to see how your version and the last stable version are different to convince yourself.

Note : In your case, it is an important update. You have to upgrade your Retrofit/OkHttp dependencies as soon as possible to minimize the technical debt of your project.

François Legrand
  • 1,151
  • 1
  • 14
  • 25
  • it is just my opinion, but as for my experience, it's better not to update most part of the libraries unless you really need to. They usually introduce more bugs than fix. Especially for Android support libraries. – Vladyslav Matviienko Jan 23 '18 at 21:54
  • In this case, there is a gap of two major version. I think, at this point, it is necessary, especially for sensitive dependencies. – François Legrand Jan 23 '18 at 22:00
2

I love this question because it's about a real tradeoff in engineering time vs. return on that investment.

Please upgrade to the latest OkHttp and please stay up-to-date. OkHttp sits between your users and hostile attackers on the Internet. This includes rogue wifi hotspots at cafes and airports, hostile governments, and targeted attacks.

The TLS settings in OkHttp are revised with each release to track the ongoing advancements in the broader Internet security community. Not upgrading OkHttp is like not upgrading your browser or operating system. You’re opening your users up to attacks.

Some examples from the changelog:

3.7.0 removes the obsolete TLS version fallback feature, which protects you from a man-in-the-middle downgrade attack.

2.3.0 drops support for RC4 cipher suites, which aren't as cryptographically strong as once thought.

2.20 drops support for SSLv3 which is vulnerable to the POODLE attack.

Jesse Wilson
  • 39,078
  • 8
  • 121
  • 128
  • Would you recommend to use Retrofit 1.9 with OkHttp 3.x to reduce effort to migrate code that use retrofit. I'm using this atm. https://github.com/JakeWharton/retrofit1-okhttp3-client – user802421 Feb 06 '18 at 11:54