I’m note a programmer. I Don’t Understand Codes. How do I Know If An Open Source Application is not Stealing My Data Or Passwords? Google play store is scanning apps. It says it blocks spyware. Unfortunately, we know that it was not very successful. So, can we trust open source software? Can’t someone integrate their own virus just because the code is open?
Yes, but the idea is that because the code is open source anyone can look at it and determine on their own whether it is in fact safe or not. Generally speaking the open source community is very good at figuring this kind of stuff out but I would say your fear is not necessarily out of place since nothing is 100% guaranteed. That said though, the more popular FOSS apps are quite safe.
deleted by creator
The way people use npm has long been a problem - the basic concept of pulling in 4 dozen small snippets of code from repos all made by different people and rarely verified. It’s quite different than running one application with a group of developers who understand all the components and monitor/approve changes.
True, but these have been identified pretty quickly, they’re not insidiously harvesting data in the background over long periods.
Well, we have detected those that have been detected. It is possible that there are some sleeper repos no one has detected yet.
But it is not really a problem or something bad with FOSS, just have to be careful when including and updating libraries, which you always have to be!
But someone has to actually go and check, instead of going “someone else will check it”
This is why lots of open source projects critical for privacy and security are audited. ProtonVPN, ProtonMail, Mullvad, Signal, Matrix, GrapheneOS, and more. Are audited and are very big projects with many eyes upon them. The more eyes, the more secure it will be.
Yes, those are much more trustworthy than audited closed source projects. Just saying that “anyone can check” doesn’t mean “someone will check”
Well if the app is actively maintained the code is checked every time someone makes a push request to the main code base. You still have to trust the managers of the repository (code base) to verify every push request thoroughly, however, it’s in the best interest of the repository managers to do so to maintain trust in the project and it’s users.
Well, not exactly.
Some open source projects have many contributors, and while they’re working on fixing bugs and adding new features, the chances that no one would notice say, a key logger or crypto miner are very slim.
Other opensource projects are maintained by large sophisticated organisations who would monitor security in some fashion. They would monitor for obvious things like transmitting data at the very least.
That’s not a 100% guarantee of security, but it’s not as reckless as just hoping someone will check.
By default, FOSS is no more secure or privacy protected than proprietary software. However, it allows the community to peer review the code. So, a popular and active FOSS project can be trusted to be honest and not do nefarious things to your data or devices.
Check activity on their code repository - Stars / Followers and Forks says something about popularity, Issues and pull requests tells you about activity (check comments or check recently closed issues and pull requests), as does the code commits itself.
Edit: Changed wording from secure to trust / honesty. Not all code focus on security; in fact, most code doesn’t.
How do you know if a closed source application is stealing your data?
With open source, you can learn to read it, or talk to a community of people who know how to read it. If even just 1 in 500 people who downloads the software looks at the source, there are external eyes on it. Whereas with closed source, no one but the creator is looking.
Biggest thing is to still only install software you trust.
One more note about safety when it comes to open source or FOSS, is that you should use only the main repository and distributions provided by the official team. Often people clone existing repo, insert malicious code and publish it as their app on play store etc.
In terms of telemetry, free software has the advantage over the proprietary counterpart.
It’s a lot more complicated to hide telemetry without the user knowing in free software.
You could always use a network tool, like iftop, to see network traffic on your PC. That could be a way too see if a program is phoning home. But you’ll probably want to use a suite of tools.
free software
To make a common clarification: free as in “free speech”, not (necessarily) free as in “free beer”.
Just because the software costs nothing, doesn’t mean that it’s not hiding something. In fact, the opposite is often true.
I’m sure you know that. I’m just clarifying for OP, who isn’te a programmer.
You mention the Google Play issue. That is an example of a disadvantage of closed source (Android is open, the Google Play Protect is not). Google Play Protect is essentially static code analysis. Think of it almost like antivirus. It tries to look for anomalies in the code itself. But it’s not great. It can be tricked. And we don’t even know how good it is or what kind of checks it does.
FOSS code has many people looking at it. You can compile it yourself. It’s extremely unlikely for something that’s remotely popular to have explicitly malicious code in it. Is it impossible? No. But just as you get folks deep diving video game code assets, you get people looking at code of many FOSS projects. Likely because they either want to contribute or make changes.
It comes down to it being easier to find malicious actors in FOSS. Its just more difficult to hide than closed source.
Why would you think closed source is any safer for any of the same reasons but worse? Closed source can just as easily (arguably more easily) steal your info (and many did but bury it in EULAs).
I wouldn’t assume there are many people looking at most open source code. And even if there are, it’s not impossible to hide malicious code.
Just because people can review it doesn’t mean they are reviewing it.
It does introduce more risk of discovery though. Malicious code is easier to find, and there will be at least a username associated with it.
There are more people looking than there are elsewhere. And unless you’re suggesting the authors as being malicious (which can happen), most FOSS is reviewed. Especially larger ones. You can tell by the number of contributors. Smaller projects will surely be an issue, but popular ones do get reviewed, simply because many people want to be able to contribute.
It’s almost certainly more than proprietary though. Like, all these risks still apply to proprietary.
How come users don’t have root access on Android even though Android is open?
Because of the handset makers and wireless carriers (honestly more the latter than the former). It’s not because of Google or Android.
Most phones use customized versions of Android and decide you shouldn’t have root access. It opens up security issues and makes it easier to bypass ads and DRM which they don’t like.
You can get it on some phones, including Google’s.
But why is Android even called opensource when there are restrictions by Google? Isn’t it a dangerous path when Google can decide to ban F-droid on the platform? What could stop them from doing that? How is the future of Android even guaranteed under such a greedy company like Google?
The Android source code is available, but unfortunately that doesn’t mean that all phones are based solely on that source code. Almost all vendors (including Google) have closed-source additions to it.
There are indeed people who agree with you. I do in principle too, but I can’t say this is something I think about much, which is probably how much people who even understand the issue feel. And most people don’t have a clue the issue exists.
Google could ban F-droid on some phones, but not all. OEMs could overrule Google on such things with their custom Android builds, and even if they didn’t, users could create their own ROMs to solve the issue for rooted devices.
Alright, I think now I understand. Thank you for the answers.
OEMs as I understand are companies who make phones, they mostly care about profit and if there is an agreement in the future with Google or any corporation that would make them more money but restricts user control, they wouldn’t care less and go for more money. And day to day users would not care about it if they can use their favorite apps and browse internet.
It seems like a wise idea to already think about making Android less and less reliant on a corporation. Especially looking at the recent example of Reddit, a sudden change or decision from companies is not impossible.
And there are Android derivatives which are Google / PlayStore or Play Services free. Like Lineage OS, GrapheneOS, CalyxOS or /e/OS
Because the vast majority of users does not need root access.
Alright, but why does Google gets to decide that? Why not make it so that users can get the root access like they can get the developers mode unlocked? On top of that, doesn’t them making it difficult or almost impossible to remove their apps defy the idea of opensource? How is Android even called opensource when the users have so much restriction put upon by Google?
There is the Android Open Source Project (AOSP), and then there’s Google’s Android, which has both open and closed components (e.g. proprietary media codecs). There is such a thing as a pure, open-source Android, but what Google ships is not 100% open.
Think of it like Google’s browser: AOSP is Chromium, the Android that comes with your phone is Google Chrome.
Whether or not someone has admin has nothing to do with whether something is open source.
No. But more safe than closed source.
deleted by creator
Removed by mod
You shouldn’t see trustworthyness or trust as a binary system of full or nothing.
You should assess - to your and the products possibilities - and then weigh risk and necessity and value.
Source exposure makes it more likely people may look at it, without cause or when something seems surprising or questionable. Source available alone doesn’t mean you’d see concerns though - you’d need an obvious platform or publicity.
FOSS may be funded and implemented by voluntary work or paid or sponsored, with or without control by the involved parties.
Security scanning is a best effort weighing known and similarity and suspect parts against false positives and user and publisher inconvenience and hindrance. It can’t be perfect.
Android Play Store security scanning can only scan for some things I’d consider security relevant and likely largely ignores questionable behavior that does not endanger device security.
Established projects are more trustworthy than those that are not. Personal projects with a clear goal are more trustworthy because of likely hood of good intention and personal interest than those who seem obscure or unclear.
Don’t trust blindly.
Safety is a big topic and theme. So such a broad question can only be answered with broad assessment and overview.
deleted by creator
Tl;Dr: you shouldn’t trust anyone or anything blindly or unconditionally. However, open source software and its community offer compelling reasons to trust it over proprietary software.
Technically, if you do not read all of the source code of an application and all its dependencies, you can never be 100% sure that it isn’t doing nefarious things. For things that require a connection to the internet, you could monitor all connections to and from the application and its dependencies and see if it is making objectionable connections.
However, in my view, open-source software is in general safer than closed-source software. Open-source software can be audited by any who knows the languages the program is coded in, whereas closed-source software can only be audited by the developer or the few parties they might authorize to see it. Closed-source apps can easily hide spyware because the source code is completely unavailable. Spyware could possibly be missed by the community, but it’s still a whole hell of a lot less likely to occur with so many eyes on the program.
And practically, whenever an open-source software gets even close to including nefarious stuff, the community generates a huge hoopla about it.
Also, Google Play Store is not open source! A better example would be F-Droid, which is an app store that is open-source. While I am not aware of F-Droid delivering spyware ala Google, it is still theoretically possible that they could screw up or be corrupted in the distant future. Therefore, we must stay vigilant, even with groups and people we trust. Practically, this just means… check their work once in a while. It wouldn’t kill you to learn a programming language; try Python for quick results. What I do is whenever an open-source software is written in a language I understand, I’ll pick a few files that look the most important and skim them to see that the program “does what it says on the tin”. Otherwise, I’ll check through the issues on GitHub for any weirdness.
I haven’t even mentioned free and open-source software (free as in speech). I genuinely do not know how to convince people who are disinterested in their own freedom to consider FOSS options, or to do very nearly anything at all. For everyone else…FOSS software respects your freedom to compute as you please. We can quibble about different licenses and if and how effective they are at safeguarding user freedom, but at the end of the day, FOSS licenses are at least intended to give users back your freedom. In my view, it is mightily refreshing to finally take some freedom back!
You wouldn’t know unless it’s checked by you or someone you trust, but IMO open source should generally be better cause if you’re doing shady stuff you’re probably less likely to make it public. Also projects with lots of activity by different people are usually safer.
Is FOSS really safe?
It’s not an attempt at edginess, but the answer is that in the long run, IT NOTHING is safe. It might be now, it might be for some time, but theres no guarantee that even the most dependable piece of software will get some new update that will break some of its functionality, or the OS will interfere with it, thus breaking it.
FOSS? It’s safe as a principle. If anyone has the access to the code, then any suspicious inclusion to it will be spotted quickly and patched up.
…but the reality isn’t as straightforward.
A question i always ask myself is, if we can see code on github for example, it still doesn’t mean their release has the same code right? They could actually compile their program with some extra stuff that sends data and just add that version on github release page, but the code itself would be clean on github right?
Yes, however there are ways of verifying that. Compiled programs are not black boxes, they’re just complicated enough that we can consider them beyond human comprehension (at least complicated programs), but they’re very much readable. Which means programs can check differences between what should be there and what is. Not to mention that you can also compile the code they said they put there and check for differences with what they’re distributing.
Is anyone doing that? Don’t know, but because it’s possible to be verified it’s unlikely that people would try to do something nasty.
Edit: I’m talking about official releases on official channels, download binaries from different sources at your own peril since those are unlikely to be checked, and even if someone found differences they could claim patches or different compilers.
It’s worth pointing out that reproducible builds aren’t always guaranteed if software developers aren’t specifically programming with them in mind.
imagine a program that inserts randomness during compile time for seeds. Reach build would generate a different seed even from the same source code, and would fail being diffed against the actual release.
Or maybe the developer inserts information about the build environment for debugging such as the build time and exact OS version. This would cause verification builds to differ.
Rust (the programing language) has had a long history of working towards reproducible builds for software written in the language, for instance.
It’s one of those things that sounds straightforward and then pesky reality comes and fucks up your year.
Yes you can tamper the executables if it’s you on your pc compiling the code and upload it to the release page…
BUT if you use ci/cd pipelines, you can almost be sure it’s not a human who is in charge of compiling. It’s a robot who automatically clones the repo, launch the build and upload the artifact to release. It’s much more transparent this way
