Is FOSS really safe?

Socialphilosopher@lemm.ee to No Stupid Questions@lemmy.world – 65 points –

I'm note a programmer. I Don't Understand Codes. How do I Know If An Open Source Application is not Stealing My Data Or Passwords? Google play store is scanning apps. It says it blocks spyware. Unfortunately, we know that it was not very successful. So, can we trust open source software? Can't someone integrate their own virus just because the code is open?

65

You are viewing a single comment
View all comments

You mention the Google Play issue. That is an example of a disadvantage of closed source (Android is open, the Google Play Protect is not). Google Play Protect is essentially static code analysis. Think of it almost like antivirus. It tries to look for anomalies in the code itself. But it's not great. It can be tricked. And we don't even know how good it is or what kind of checks it does.

FOSS code has many people looking at it. You can compile it yourself. It's extremely unlikely for something that's remotely popular to have explicitly malicious code in it. Is it impossible? No. But just as you get folks deep diving video game code assets, you get people looking at code of many FOSS projects. Likely because they either want to contribute or make changes.

It comes down to it being easier to find malicious actors in FOSS. Its just more difficult to hide than closed source.

Why would you think closed source is any safer for any of the same reasons but worse? Closed source can just as easily (arguably more easily) steal your info (and many did but bury it in EULAs).

I wouldn't assume there are many people looking at most open source code. And even if there are, it's not impossible to hide malicious code.

Just because people can review it doesn't mean they are reviewing it.

It does introduce more risk of discovery though. Malicious code is easier to find, and there will be at least a username associated with it.

There are more people looking than there are elsewhere. And unless you're suggesting the authors as being malicious (which can happen), most FOSS is reviewed. Especially larger ones. You can tell by the number of contributors. Smaller projects will surely be an issue, but popular ones do get reviewed, simply because many people want to be able to contribute.

It's almost certainly more than proprietary though. Like, all these risks still apply to proprietary.

How come users don't have root access on Android even though Android is open?

Because of the handset makers and wireless carriers (honestly more the latter than the former). It's not because of Google or Android.

Most phones use customized versions of Android and decide you shouldn't have root access. It opens up security issues and makes it easier to bypass ads and DRM which they don't like.

You can get it on some phones, including Google's.

But why is Android even called opensource when there are restrictions by Google? Isn't it a dangerous path when Google can decide to ban F-droid on the platform? What could stop them from doing that? How is the future of Android even guaranteed under such a greedy company like Google?

The Android source code is available, but unfortunately that doesn't mean that all phones are based solely on that source code. Almost all vendors (including Google) have closed-source additions to it.

There are indeed people who agree with you. I do in principle too, but I can't say this is something I think about much, which is probably how much people who even understand the issue feel. And most people don't have a clue the issue exists.

Google could ban F-droid on some phones, but not all. OEMs could overrule Google on such things with their custom Android builds, and even if they didn't, users could create their own ROMs to solve the issue for rooted devices.

Alright, I think now I understand. Thank you for the answers.

OEMs as I understand are companies who make phones, they mostly care about profit and if there is an agreement in the future with Google or any corporation that would make them more money but restricts user control, they wouldn't care less and go for more money. And day to day users would not care about it if they can use their favorite apps and browse internet.

It seems like a wise idea to already think about making Android less and less reliant on a corporation. Especially looking at the recent example of Reddit, a sudden change or decision from companies is not impossible.

Because the vast majority of users does not need root access.

Alright, but why does Google gets to decide that? Why not make it so that users can get the root access like they can get the developers mode unlocked? On top of that, doesn't them making it difficult or almost impossible to remove their apps defy the idea of opensource? How is Android even called opensource when the users have so much restriction put upon by Google?

There is the Android Open Source Project (AOSP), and then there's Google's Android, which has both open and closed components (e.g. proprietary media codecs). There is such a thing as a pure, open-source Android, but what Google ships is not 100% open.

Think of it like Google's browser: AOSP is Chromium, the Android that comes with your phone is Google Chrome.

Whether or not someone has admin has nothing to do with whether something is open source.