I’m note a programmer. I Don’t Understand Codes. How do I Know If An Open Source Application is not Stealing My Data Or Passwords? Google play store is scanning apps. It says it blocks spyware. Unfortunately, we know that it was not very successful. So, can we trust open source software? Can’t someone integrate their own virus just because the code is open?

54 points

Yes, but the idea is that because the code is open source anyone can look at it and determine on their own whether it is in fact safe or not. Generally speaking the open source community is very good at figuring this kind of stuff out but I would say your fear is not necessarily out of place since nothing is 100% guaranteed. That said though, the more popular FOSS apps are quite safe.

permalink
report
reply
19 points
Deleted by creator
permalink
report
parent
reply
8 points

The way people use npm has long been a problem - the basic concept of pulling in 4 dozen small snippets of code from repos all made by different people and rarely verified. It’s quite different than running one application with a group of developers who understand all the components and monitor/approve changes.

permalink
report
parent
reply
4 points

True, but these have been identified pretty quickly, they’re not insidiously harvesting data in the background over long periods.

permalink
report
parent
reply
5 points

Well, we have detected those that have been detected. It is possible that there are some sleeper repos no one has detected yet.

But it is not really a problem or something bad with FOSS, just have to be careful when including and updating libraries, which you always have to be!

permalink
report
parent
reply
15 points

But someone has to actually go and check, instead of going “someone else will check it”

permalink
report
parent
reply
12 points

This is why lots of open source projects critical for privacy and security are audited. ProtonVPN, ProtonMail, Mullvad, Signal, Matrix, GrapheneOS, and more. Are audited and are very big projects with many eyes upon them. The more eyes, the more secure it will be.

permalink
report
parent
reply
7 points

Yes, those are much more trustworthy than audited closed source projects. Just saying that “anyone can check” doesn’t mean “someone will check”

permalink
report
parent
reply
6 points

Well if the app is actively maintained the code is checked every time someone makes a push request to the main code base. You still have to trust the managers of the repository (code base) to verify every push request thoroughly, however, it’s in the best interest of the repository managers to do so to maintain trust in the project and it’s users.

permalink
report
parent
reply
4 points

Well, not exactly.

Some open source projects have many contributors, and while they’re working on fixing bugs and adding new features, the chances that no one would notice say, a key logger or crypto miner are very slim.

Other opensource projects are maintained by large sophisticated organisations who would monitor security in some fashion. They would monitor for obvious things like transmitting data at the very least.

That’s not a 100% guarantee of security, but it’s not as reckless as just hoping someone will check.

permalink
report
parent
reply
25 points
*

By default, FOSS is no more secure or privacy protected than proprietary software. However, it allows the community to peer review the code. So, a popular and active FOSS project can be trusted to be honest and not do nefarious things to your data or devices.

Check activity on their code repository - Stars / Followers and Forks says something about popularity, Issues and pull requests tells you about activity (check comments or check recently closed issues and pull requests), as does the code commits itself.

Edit: Changed wording from secure to trust / honesty. Not all code focus on security; in fact, most code doesn’t.

permalink
report
reply
22 points

You mention the Google Play issue. That is an example of a disadvantage of closed source (Android is open, the Google Play Protect is not). Google Play Protect is essentially static code analysis. Think of it almost like antivirus. It tries to look for anomalies in the code itself. But it’s not great. It can be tricked. And we don’t even know how good it is or what kind of checks it does.

FOSS code has many people looking at it. You can compile it yourself. It’s extremely unlikely for something that’s remotely popular to have explicitly malicious code in it. Is it impossible? No. But just as you get folks deep diving video game code assets, you get people looking at code of many FOSS projects. Likely because they either want to contribute or make changes.

It comes down to it being easier to find malicious actors in FOSS. Its just more difficult to hide than closed source.

Why would you think closed source is any safer for any of the same reasons but worse? Closed source can just as easily (arguably more easily) steal your info (and many did but bury it in EULAs).

permalink
report
reply
2 points

I wouldn’t assume there are many people looking at most open source code. And even if there are, it’s not impossible to hide malicious code.

Just because people can review it doesn’t mean they are reviewing it.

It does introduce more risk of discovery though. Malicious code is easier to find, and there will be at least a username associated with it.

permalink
report
parent
reply
5 points

There are more people looking than there are elsewhere. And unless you’re suggesting the authors as being malicious (which can happen), most FOSS is reviewed. Especially larger ones. You can tell by the number of contributors. Smaller projects will surely be an issue, but popular ones do get reviewed, simply because many people want to be able to contribute.

It’s almost certainly more than proprietary though. Like, all these risks still apply to proprietary.

permalink
report
parent
reply
1 point

How come users don’t have root access on Android even though Android is open?

permalink
report
parent
reply
10 points

Because of the handset makers and wireless carriers (honestly more the latter than the former). It’s not because of Google or Android.

permalink
report
parent
reply
8 points

Most phones use customized versions of Android and decide you shouldn’t have root access. It opens up security issues and makes it easier to bypass ads and DRM which they don’t like.

You can get it on some phones, including Google’s.

permalink
report
parent
reply
-2 points

But why is Android even called opensource when there are restrictions by Google? Isn’t it a dangerous path when Google can decide to ban F-droid on the platform? What could stop them from doing that? How is the future of Android even guaranteed under such a greedy company like Google?

permalink
report
parent
reply
1 point

Because the vast majority of users does not need root access.

permalink
report
parent
reply
2 points

Alright, but why does Google gets to decide that? Why not make it so that users can get the root access like they can get the developers mode unlocked? On top of that, doesn’t them making it difficult or almost impossible to remove their apps defy the idea of opensource? How is Android even called opensource when the users have so much restriction put upon by Google?

permalink
report
parent
reply
22 points

How do you know if a closed source application is stealing your data?

With open source, you can learn to read it, or talk to a community of people who know how to read it. If even just 1 in 500 people who downloads the software looks at the source, there are external eyes on it. Whereas with closed source, no one but the creator is looking.

Biggest thing is to still only install software you trust.

permalink
report
reply
17 points

One more note about safety when it comes to open source or FOSS, is that you should use only the main repository and distributions provided by the official team. Often people clone existing repo, insert malicious code and publish it as their app on play store etc.

permalink
report
reply

No Stupid Questions

!nostupidquestions@lemmy.world

Create post

No such thing. Ask away!

!nostupidquestions is a community dedicated to being helpful and answering each others’ questions on various topics.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules (interactive)


Rule 1- All posts must be legitimate questions. All post titles must include a question.

All posts must be legitimate questions, and all post titles must include a question. Questions that are joke or trolling questions, memes, song lyrics as title, etc. are not allowed here. See Rule 6 for all exceptions.



Rule 2- Your question subject cannot be illegal or NSFW material.

Your question subject cannot be illegal or NSFW material. You will be warned first, banned second.



Rule 3- Do not seek mental, medical and professional help here.

Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.



Rule 4- No self promotion or upvote-farming of any kind.

That’s it.



Rule 5- No baiting or sealioning or promoting an agenda.

Questions which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.



Rule 6- Regarding META posts and joke questions.

Provided it is about the community itself, you may post non-question posts using the [META] tag on your post title.

On fridays, you are allowed to post meme and troll questions, on the condition that it’s in text format only, and conforms with our other rules. These posts MUST include the [NSQ Friday] tag in their title.

If you post a serious question on friday and are looking only for legitimate answers, then please include the [Serious] tag on your post. Irrelevant replies will then be removed by moderators.



Rule 7- You can't intentionally annoy, mock, or harass other members.

If you intentionally annoy, mock, harass, or discriminate against any individual member, you will be removed.

Likewise, if you are a member, sympathiser or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people, and you were provably vocal about your hate, then you will be banned on sight.



Rule 8- All comments should try to stay relevant to their parent content.

Rule 9- Reposts from other platforms are not allowed.

Let everyone have their own content.



Rule 10- Majority of bots aren't allowed to participate here.

Credits

Our breathtaking icon was bestowed upon us by @Cevilia!

The greatest banner of all time: by @TheOneWithTheHair!

Community stats

  • 9.6K

    Monthly active users

  • 3.3K

    Posts

  • 129K

    Comments