Is FOSS really safe? - eviltoast

I’m note a programmer. I Don’t Understand Codes. How do I Know If An Open Source Application is not Stealing My Data Or Passwords? Google play store is scanning apps. It says it blocks spyware. Unfortunately, we know that it was not very successful. So, can we trust open source software? Can’t someone integrate their own virus just because the code is open?

  • pjhenry1216@kbin.social
    link
    fedilink
    arrow-up
    22
    ·
    1 year ago

    You mention the Google Play issue. That is an example of a disadvantage of closed source (Android is open, the Google Play Protect is not). Google Play Protect is essentially static code analysis. Think of it almost like antivirus. It tries to look for anomalies in the code itself. But it’s not great. It can be tricked. And we don’t even know how good it is or what kind of checks it does.

    FOSS code has many people looking at it. You can compile it yourself. It’s extremely unlikely for something that’s remotely popular to have explicitly malicious code in it. Is it impossible? No. But just as you get folks deep diving video game code assets, you get people looking at code of many FOSS projects. Likely because they either want to contribute or make changes.

    It comes down to it being easier to find malicious actors in FOSS. Its just more difficult to hide than closed source.

    Why would you think closed source is any safer for any of the same reasons but worse? Closed source can just as easily (arguably more easily) steal your info (and many did but bury it in EULAs).

    • Serinus@lemmy.world
      link
      fedilink
      arrow-up
      5
      arrow-down
      3
      ·
      1 year ago

      I wouldn’t assume there are many people looking at most open source code. And even if there are, it’s not impossible to hide malicious code.

      Just because people can review it doesn’t mean they are reviewing it.

      It does introduce more risk of discovery though. Malicious code is easier to find, and there will be at least a username associated with it.

      • pjhenry1216@kbin.social
        link
        fedilink
        arrow-up
        5
        ·
        1 year ago

        There are more people looking than there are elsewhere. And unless you’re suggesting the authors as being malicious (which can happen), most FOSS is reviewed. Especially larger ones. You can tell by the number of contributors. Smaller projects will surely be an issue, but popular ones do get reviewed, simply because many people want to be able to contribute.

        It’s almost certainly more than proprietary though. Like, all these risks still apply to proprietary.

    • zencat@kbin.social
      link
      fedilink
      arrow-up
      3
      arrow-down
      2
      ·
      1 year ago

      How come users don’t have root access on Android even though Android is open?

      • pjhenry1216@kbin.social
        link
        fedilink
        arrow-up
        10
        ·
        1 year ago

        Because of the handset makers and wireless carriers (honestly more the latter than the former). It’s not because of Google or Android.

      • exscape@kbin.social
        link
        fedilink
        arrow-up
        8
        ·
        1 year ago

        Most phones use customized versions of Android and decide you shouldn’t have root access. It opens up security issues and makes it easier to bypass ads and DRM which they don’t like.

        You can get it on some phones, including Google’s.

        • zencat@kbin.social
          link
          fedilink
          arrow-up
          2
          arrow-down
          4
          ·
          1 year ago

          But why is Android even called opensource when there are restrictions by Google? Isn’t it a dangerous path when Google can decide to ban F-droid on the platform? What could stop them from doing that? How is the future of Android even guaranteed under such a greedy company like Google?

          • exscape@kbin.social
            link
            fedilink
            arrow-up
            6
            ·
            1 year ago

            The Android source code is available, but unfortunately that doesn’t mean that all phones are based solely on that source code. Almost all vendors (including Google) have closed-source additions to it.

            There are indeed people who agree with you. I do in principle too, but I can’t say this is something I think about much, which is probably how much people who even understand the issue feel. And most people don’t have a clue the issue exists.

            Google could ban F-droid on some phones, but not all. OEMs could overrule Google on such things with their custom Android builds, and even if they didn’t, users could create their own ROMs to solve the issue for rooted devices.

            • zencat@kbin.social
              link
              fedilink
              arrow-up
              1
              ·
              1 year ago

              Alright, I think now I understand. Thank you for the answers.

              OEMs as I understand are companies who make phones, they mostly care about profit and if there is an agreement in the future with Google or any corporation that would make them more money but restricts user control, they wouldn’t care less and go for more money. And day to day users would not care about it if they can use their favorite apps and browse internet.

              It seems like a wise idea to already think about making Android less and less reliant on a corporation. Especially looking at the recent example of Reddit, a sudden change or decision from companies is not impossible.

        • zencat@kbin.social
          link
          fedilink
          arrow-up
          3
          arrow-down
          1
          ·
          1 year ago

          Alright, but why does Google gets to decide that? Why not make it so that users can get the root access like they can get the developers mode unlocked? On top of that, doesn’t them making it difficult or almost impossible to remove their apps defy the idea of opensource? How is Android even called opensource when the users have so much restriction put upon by Google?

          • Peruvian_Skies@kbin.social
            link
            fedilink
            arrow-up
            2
            ·
            edit-2
            1 year ago

            There is the Android Open Source Project (AOSP), and then there’s Google’s Android, which has both open and closed components (e.g. proprietary media codecs). There is such a thing as a pure, open-source Android, but what Google ships is not 100% open.

            Think of it like Google’s browser: AOSP is Chromium, the Android that comes with your phone is Google Chrome.