I’m note a programmer. I Don’t Understand Codes. How do I Know If An Open Source Application is not Stealing My Data Or Passwords? Google play store is scanning apps. It says it blocks spyware. Unfortunately, we know that it was not very successful. So, can we trust open source software? Can’t someone integrate their own virus just because the code is open?
Yes, but the idea is that because the code is open source anyone can look at it and determine on their own whether it is in fact safe or not. Generally speaking the open source community is very good at figuring this kind of stuff out but I would say your fear is not necessarily out of place since nothing is 100% guaranteed. That said though, the more popular FOSS apps are quite safe.
The way people use npm has long been a problem - the basic concept of pulling in 4 dozen small snippets of code from repos all made by different people and rarely verified. It’s quite different than running one application with a group of developers who understand all the components and monitor/approve changes.
True, but these have been identified pretty quickly, they’re not insidiously harvesting data in the background over long periods.
Well, we have detected those that have been detected. It is possible that there are some sleeper repos no one has detected yet.
But it is not really a problem or something bad with FOSS, just have to be careful when including and updating libraries, which you always have to be!
But someone has to actually go and check, instead of going “someone else will check it”
This is why lots of open source projects critical for privacy and security are audited. ProtonVPN, ProtonMail, Mullvad, Signal, Matrix, GrapheneOS, and more. Are audited and are very big projects with many eyes upon them. The more eyes, the more secure it will be.
Well if the app is actively maintained the code is checked every time someone makes a push request to the main code base. You still have to trust the managers of the repository (code base) to verify every push request thoroughly, however, it’s in the best interest of the repository managers to do so to maintain trust in the project and it’s users.
Well, not exactly.
Some open source projects have many contributors, and while they’re working on fixing bugs and adding new features, the chances that no one would notice say, a key logger or crypto miner are very slim.
Other opensource projects are maintained by large sophisticated organisations who would monitor security in some fashion. They would monitor for obvious things like transmitting data at the very least.
That’s not a 100% guarantee of security, but it’s not as reckless as just hoping someone will check.
By default, FOSS is no more secure or privacy protected than proprietary software. However, it allows the community to peer review the code. So, a popular and active FOSS project can be trusted to be honest and not do nefarious things to your data or devices.
Check activity on their code repository - Stars / Followers and Forks says something about popularity, Issues and pull requests tells you about activity (check comments or check recently closed issues and pull requests), as does the code commits itself.
Edit: Changed wording from secure to trust / honesty. Not all code focus on security; in fact, most code doesn’t.
You mention the Google Play issue. That is an example of a disadvantage of closed source (Android is open, the Google Play Protect is not). Google Play Protect is essentially static code analysis. Think of it almost like antivirus. It tries to look for anomalies in the code itself. But it’s not great. It can be tricked. And we don’t even know how good it is or what kind of checks it does.
FOSS code has many people looking at it. You can compile it yourself. It’s extremely unlikely for something that’s remotely popular to have explicitly malicious code in it. Is it impossible? No. But just as you get folks deep diving video game code assets, you get people looking at code of many FOSS projects. Likely because they either want to contribute or make changes.
It comes down to it being easier to find malicious actors in FOSS. Its just more difficult to hide than closed source.
Why would you think closed source is any safer for any of the same reasons but worse? Closed source can just as easily (arguably more easily) steal your info (and many did but bury it in EULAs).
I wouldn’t assume there are many people looking at most open source code. And even if there are, it’s not impossible to hide malicious code.
Just because people can review it doesn’t mean they are reviewing it.
It does introduce more risk of discovery though. Malicious code is easier to find, and there will be at least a username associated with it.
There are more people looking than there are elsewhere. And unless you’re suggesting the authors as being malicious (which can happen), most FOSS is reviewed. Especially larger ones. You can tell by the number of contributors. Smaller projects will surely be an issue, but popular ones do get reviewed, simply because many people want to be able to contribute.
It’s almost certainly more than proprietary though. Like, all these risks still apply to proprietary.
How come users don’t have root access on Android even though Android is open?
Most phones use customized versions of Android and decide you shouldn’t have root access. It opens up security issues and makes it easier to bypass ads and DRM which they don’t like.
You can get it on some phones, including Google’s.
But why is Android even called opensource when there are restrictions by Google? Isn’t it a dangerous path when Google can decide to ban F-droid on the platform? What could stop them from doing that? How is the future of Android even guaranteed under such a greedy company like Google?
Alright, but why does Google gets to decide that? Why not make it so that users can get the root access like they can get the developers mode unlocked? On top of that, doesn’t them making it difficult or almost impossible to remove their apps defy the idea of opensource? How is Android even called opensource when the users have so much restriction put upon by Google?
How do you know if a closed source application is stealing your data?
With open source, you can learn to read it, or talk to a community of people who know how to read it. If even just 1 in 500 people who downloads the software looks at the source, there are external eyes on it. Whereas with closed source, no one but the creator is looking.
Biggest thing is to still only install software you trust.
One more note about safety when it comes to open source or FOSS, is that you should use only the main repository and distributions provided by the official team. Often people clone existing repo, insert malicious code and publish it as their app on play store etc.
