I’m note a programmer. I Don’t Understand Codes. How do I Know If An Open Source Application is not Stealing My Data Or Passwords? Google play store is scanning apps. It says it blocks spyware. Unfortunately, we know that it was not very successful. So, can we trust open source software? Can’t someone integrate their own virus just because the code is open?
Nobody can be 100% sure of some program’s security. However, the fact that anyone can look into the internal workings of a FOSS project means that a lot of people much smarter than you and I have their eyes on every detail of the code at all times. Plus, these projects are maintained by competent people who monitor everything that gets added to it thoroughly, so there is a very little chance of something malicious getting into a major project like that.
In comparison, nobody but the people working at Microsoft knows what Microsoft projects really do, since nobody can look inside. We just have to “trust” them. Which I do not want to do.
You shouldn’t see trustworthyness or trust as a binary system of full or nothing.
You should assess - to your and the products possibilities - and then weigh risk and necessity and value.
Source exposure makes it more likely people may look at it, without cause or when something seems surprising or questionable. Source available alone doesn’t mean you’d see concerns though - you’d need an obvious platform or publicity.
FOSS may be funded and implemented by voluntary work or paid or sponsored, with or without control by the involved parties.
Security scanning is a best effort weighing known and similarity and suspect parts against false positives and user and publisher inconvenience and hindrance. It can’t be perfect.
Android Play Store security scanning can only scan for some things I’d consider security relevant and likely largely ignores questionable behavior that does not endanger device security.
Established projects are more trustworthy than those that are not. Personal projects with a clear goal are more trustworthy because of likely hood of good intention and personal interest than those who seem obscure or unclear.
Don’t trust blindly.
Safety is a big topic and theme. So such a broad question can only be answered with broad assessment and overview.
You wouldn’t know unless it’s checked by you or someone you trust, but IMO open source should generally be better cause if you’re doing shady stuff you’re probably less likely to make it public. Also projects with lots of activity by different people are usually safer.
How do you know if a closed source application is stealing your data?
With open source, you can learn to read it, or talk to a community of people who know how to read it. If even just 1 in 500 people who downloads the software looks at the source, there are external eyes on it. Whereas with closed source, no one but the creator is looking.
Biggest thing is to still only install software you trust.
Unless you know how to inspect it yourself (or trust someone who can): No.
Yes, theoretically if someone were to insert malware hooks into Blender, the entire internet would be freaking out. Except… we live in a post truth society and that could very rapidly be astroturfed to the point of “nobody really knows but it is probably fine”. A good example in the opposite direction was that chinese (probably?) battle royale game a few years back (Rings of Something?) where, at the height of the BR wars, “somebody” claimed that it involved malware. To my knowledge, it didn’t, but it more or less killed the game in the eyes of most people.
That said: Like with anything, what matters is the downstream users. If someone somehow introduced malware to glibc, the entire world would erupt in a manhunt because very significant percentages of the world run on that. Whereas, some closed source proprietary tool with a thousand customers might never notice.
FOSS is more about ideology and what you want the future of computing/the economy to be. Any discussions of “safety” are in the same realm of “security through obscurity” where… yes, it can help but if you are relying on that you are already dead.
In terms of telemetry, free software has the advantage over the proprietary counterpart.
It’s a lot more complicated to hide telemetry without the user knowing in free software.
You could always use a network tool, like iftop, to see network traffic on your PC. That could be a way too see if a program is phoning home. But you’ll probably want to use a suite of tools.
By default, FOSS is no more secure or privacy protected than proprietary software. However, it allows the community to peer review the code. So, a popular and active FOSS project can be trusted to be honest and not do nefarious things to your data or devices.
Check activity on their code repository - Stars / Followers and Forks says something about popularity, Issues and pull requests tells you about activity (check comments or check recently closed issues and pull requests), as does the code commits itself.
Edit: Changed wording from secure to trust / honesty. Not all code focus on security; in fact, most code doesn’t.
Tl;dr: Don’t download random APKs from the internet, just because they claim to be FOSS. Just get them from F-Droid and you’re safe.
Long answer: Depends on the project. Look how many people use it. If it’s a bunch, chances are other people also keep an eye on it. Even better if you get that sofware packaged. That means from the package manager of your linux distribution or - in your case, using Android - from F-Droid. This way somebody from that team has a look at it, and F-Droid even strips all those trackers from Apps. I’d say chances for a virus/spyware getting through the F-Droid process are close to none. Not more than chances are of a virus slipping past Google’s antivirus.
(Play Store doesn’t do anything against excessive tracking.)
Part of it is automated, part of it is real people looking at the source code. That's done by sampling of course, since it's not feasible to have someone manually look over every new update to every app.
Yeah. I haven’t looked it up, but a huge part seems to be manual labor. They have a good look at it when it gets included into the f-droid repository. The app then gets re-packaged to meet their standards and compiled from source. During this process tracking libraries and other (proprietary) components get stripped.
They have an automated build server. I’m not sure if that does any additional tests or just checks if it can build the app. But this also prepares the updates.
I doubt there are automated antivirus scans involved. Usually only windows users do that.
And you have a community with many other users who use the same build of an app. They’ll file bugreports and maybe notice if an app stops working or starts consuming huge amounts of data and battery. Those users also tend to be more tech-savy than playstore users.
From what I know, F-Droid compiles apps from source so you can be sure that the code you’re running is actually made from the source code that it claims to be built from. On most other platforms, the developers could be uploading malicious programs that actually have the code changed from what’s shared online as its source code. Then add the fact that other developers can and do look at the code, and what changes are made from version to version.
You mention the Google Play issue. That is an example of a disadvantage of closed source (Android is open, the Google Play Protect is not). Google Play Protect is essentially static code analysis. Think of it almost like antivirus. It tries to look for anomalies in the code itself. But it's not great. It can be tricked. And we don't even know how good it is or what kind of checks it does.
FOSS code has many people looking at it. You can compile it yourself. It's extremely unlikely for something that's remotely popular to have explicitly malicious code in it. Is it impossible? No. But just as you get folks deep diving video game code assets, you get people looking at code of many FOSS projects. Likely because they either want to contribute or make changes.
It comes down to it being easier to find malicious actors in FOSS. Its just more difficult to hide than closed source.
Why would you think closed source is any safer for any of the same reasons but worse? Closed source can just as easily (arguably more easily) steal your info (and many did but bury it in EULAs).
Alright, but why does Google gets to decide that? Why not make it so that users can get the root access like they can get the developers mode unlocked? On top of that, doesn't them making it difficult or almost impossible to remove their apps defy the idea of opensource? How is Android even called opensource when the users have so much restriction put upon by Google?
There is the Android Open Source Project (AOSP), and then there's Google's Android, which has both open and closed components (e.g. proprietary media codecs). There is such a thing as a pure, open-source Android, but what Google ships is not 100% open.
Think of it like Google's browser: AOSP is Chromium, the Android that comes with your phone is Google Chrome.
Most phones use customized versions of Android and decide you shouldn't have root access. It opens up security issues and makes it easier to bypass ads and DRM which they don't like.
You can get it on some phones, including Google's.
But why is Android even called opensource when there are restrictions by Google? Isn't it a dangerous path when Google can decide to ban F-droid on the platform? What could stop them from doing that? How is the future of Android even guaranteed under such a greedy company like Google?
The Android source code is available, but unfortunately that doesn't mean that all phones are based solely on that source code. Almost all vendors (including Google) have closed-source additions to it.
There are indeed people who agree with you. I do in principle too, but I can't say this is something I think about much, which is probably how much people who even understand the issue feel. And most people don't have a clue the issue exists.
Google could ban F-droid on some phones, but not all. OEMs could overrule Google on such things with their custom Android builds, and even if they didn't, users could create their own ROMs to solve the issue for rooted devices.
Alright, I think now I understand. Thank you for the answers.
OEMs as I understand are companies who make phones, they mostly care about profit and if there is an agreement in the future with Google or any corporation that would make them more money but restricts user control, they wouldn't care less and go for more money. And day to day users would not care about it if they can use their favorite apps and browse internet.
It seems like a wise idea to already think about making Android less and less reliant on a corporation. Especially looking at the recent example of Reddit, a sudden change or decision from companies is not impossible.
There are more people looking than there are elsewhere. And unless you're suggesting the authors as being malicious (which can happen), most FOSS is reviewed. Especially larger ones. You can tell by the number of contributors. Smaller projects will surely be an issue, but popular ones do get reviewed, simply because many people want to be able to contribute.
It's almost certainly more than proprietary though. Like, all these risks still apply to proprietary.
Tl;Dr: you shouldn’t trust anyone or anything blindly or unconditionally. However, open source software and its community offer compelling reasons to trust it over proprietary software.
Technically, if you do not read all of the source code of an application and all its dependencies, you can never be 100% sure that it isn’t doing nefarious things. For things that require a connection to the internet, you could monitor all connections to and from the application and its dependencies and see if it is making objectionable connections.
However, in my view, open-source software is in general safer than closed-source software. Open-source software can be audited by any who knows the languages the program is coded in, whereas closed-source software can only be audited by the developer or the few parties they might authorize to see it. Closed-source apps can easily hide spyware because the source code is completely unavailable. Spyware could possibly be missed by the community, but it’s still a whole hell of a lot less likely to occur with so many eyes on the program.
And practically, whenever an open-source software gets even close to including nefarious stuff, the community generates a huge hoopla about it.
Also, Google Play Store is not open source! A better example would be F-Droid, which is an app store that is open-source. While I am not aware of F-Droid delivering spyware ala Google, it is still theoretically possible that they could screw up or be corrupted in the distant future. Therefore, we must stay vigilant, even with groups and people we trust. Practically, this just means… check their work once in a while. It wouldn’t kill you to learn a programming language; try Python for quick results. What I do is whenever an open-source software is written in a language I understand, I’ll pick a few files that look the most important and skim them to see that the program “does what it says on the tin”. Otherwise, I’ll check through the issues on GitHub for any weirdness.
I haven’t even mentioned free and open-source software (free as in speech). I genuinely do not know how to convince people who are disinterested in their own freedom to consider FOSS options, or to do very nearly anything at all. For everyone else…FOSS software respects your freedom to compute as you please. We can quibble about different licenses and if and how effective they are at safeguarding user freedom, but at the end of the day, FOSS licenses are at least intended to give users back your freedom. In my view, it is mightily refreshing to finally take some freedom back!
There are some very good comments here, here are a few to think on:
With FOSS anybody cant just modify the code that you use, say in my lemmy instance. The code I run comes from the dev’s own github account, and they manage the code that comes into the project - this doesn’t mean that the underlying code is immune to bugs any bore than closed platforms though, just that more eyes can look for bugs and exploits
With FOSS I can fork a code base and publish that, like I have done with the Alexandrite UI for lemmy. I could insert password sniffers in that cade, and someone could build from that source - but the code changes that I have made are laid out for any one to look at. Again, it doesn’t mean the base code is any better than closed, just that more eyes can look
A question i always ask myself is, if we can see code on github for example, it still doesn’t mean their release has the same code right? They could actually compile their program with some extra stuff that sends data and just add that version on github release page, but the code itself would be clean on github right?
Yes, however there are ways of verifying that. Compiled programs are not black boxes, they’re just complicated enough that we can consider them beyond human comprehension (at least complicated programs), but they’re very much readable. Which means programs can check differences between what should be there and what is. Not to mention that you can also compile the code they said they put there and check for differences with what they’re distributing.
Is anyone doing that? Don’t know, but because it’s possible to be verified it’s unlikely that people would try to do something nasty.
Edit: I’m talking about official releases on official channels, download binaries from different sources at your own peril since those are unlikely to be checked, and even if someone found differences they could claim patches or different compilers.
It's worth pointing out that reproducible builds aren't always guaranteed if software developers aren't specifically programming with them in mind.
imagine a program that inserts randomness during compile time for seeds. Reach build would generate a different seed even from the same source code, and would fail being diffed against the actual release.
Or maybe the developer inserts information about the build environment for debugging such as the build time and exact OS version. This would cause verification builds to differ.
Rust (the programing language) has had a long history of working towards reproducible builds for software written in the language, for instance.
It's one of those things that sounds straightforward and then pesky reality comes and fucks up your year.
Yes you can tamper the executables if it’s you on your pc compiling the code and upload it to the release page…
BUT if you use ci/cd pipelines, you can almost be sure it’s not a human who is in charge of compiling. It’s a robot who automatically clones the repo, launch the build and upload the artifact to release. It’s much more transparent this way
One more note about safety when it comes to open source or FOSS, is that you should use only the main repository and distributions provided by the official team. Often people clone existing repo, insert malicious code and publish it as their app on play store etc.
Add comment