I'm note a programmer. I Don't Understand Codes. How do I Know If An Open Source Application is not Stealing My Data Or Passwords? Google play store is scanning apps. It says it blocks spyware. Unfortunately, we know that it was not very successful. So, can we trust open source software? Can't someone integrate their own virus just because the code is open?
Yes, but the idea is that because the code is open source anyone can look at it and determine on their own whether it is in fact safe or not. Generally speaking the open source community is very good at figuring this kind of stuff out but I would say your fear is not necessarily out of place since nothing is 100% guaranteed. That said though, the more popular FOSS apps are quite safe.
The way people use npm has long been a problem - the basic concept of pulling in 4 dozen small snippets of code from repos all made by different people and rarely verified. It's quite different than running one application with a group of developers who understand all the components and monitor/approve changes.
This is why lots of open source projects critical for privacy and security are audited. ProtonVPN, ProtonMail, Mullvad, Signal, Matrix, GrapheneOS, and more. Are audited and are very big projects with many eyes upon them. The more eyes, the more secure it will be.
Well if the app is actively maintained the code is checked every time someone makes a push request to the main code base. You still have to trust the managers of the repository (code base) to verify every push request thoroughly, however, it's in the best interest of the repository managers to do so to maintain trust in the project and it's users.
Some open source projects have many contributors, and while they're working on fixing bugs and adding new features, the chances that no one would notice say, a key logger or crypto miner are very slim.
Other opensource projects are maintained by large sophisticated organisations who would monitor security in some fashion. They would monitor for obvious things like transmitting data at the very least.
That's not a 100% guarantee of security, but it's not as reckless as just hoping someone will check.
By default, FOSS is no more secure or privacy protected than proprietary software. However, it allows the community to peer review the code. So, a popular and active FOSS project can be trusted to be honest and not do nefarious things to your data or devices.
Check activity on their code repository - Stars / Followers and Forks says something about popularity, Issues and pull requests tells you about activity (check comments or check recently closed issues and pull requests), as does the code commits itself.
Edit: Changed wording from secure to trust / honesty. Not all code focus on security; in fact, most code doesn’t.
You mention the Google Play issue. That is an example of a disadvantage of closed source (Android is open, the Google Play Protect is not). Google Play Protect is essentially static code analysis. Think of it almost like antivirus. It tries to look for anomalies in the code itself. But it's not great. It can be tricked. And we don't even know how good it is or what kind of checks it does.
FOSS code has many people looking at it. You can compile it yourself. It's extremely unlikely for something that's remotely popular to have explicitly malicious code in it. Is it impossible? No. But just as you get folks deep diving video game code assets, you get people looking at code of many FOSS projects. Likely because they either want to contribute or make changes.
It comes down to it being easier to find malicious actors in FOSS. Its just more difficult to hide than closed source.
Why would you think closed source is any safer for any of the same reasons but worse? Closed source can just as easily (arguably more easily) steal your info (and many did but bury it in EULAs).
There are more people looking than there are elsewhere. And unless you're suggesting the authors as being malicious (which can happen), most FOSS is reviewed. Especially larger ones. You can tell by the number of contributors. Smaller projects will surely be an issue, but popular ones do get reviewed, simply because many people want to be able to contribute.
It's almost certainly more than proprietary though. Like, all these risks still apply to proprietary.
Most phones use customized versions of Android and decide you shouldn't have root access. It opens up security issues and makes it easier to bypass ads and DRM which they don't like.
You can get it on some phones, including Google's.
How do you know if a closed source application is stealing your data?
With open source, you can learn to read it, or talk to a community of people who know how to read it. If even just 1 in 500 people who downloads the software looks at the source, there are external eyes on it. Whereas with closed source, no one but the creator is looking.
Biggest thing is to still only install software you trust.
One more note about safety when it comes to open source or FOSS, is that you should use only the main repository and distributions provided by the official team. Often people clone existing repo, insert malicious code and publish it as their app on play store etc.
No, open source code is no safer than closed source code by default. What it does is gives the opportunity for people to verify that it’s safe, but it doesn’t mean it is safe. Also just because some people have “verified” that it is safe doesn’t mean they didn’t just miss the vulnerabilities or nasty code.
Software companies are not known for their accountability over hacky code though, foss leads to better quality because it solves the accountability conflict of interest in an efficient way.
Agreed. I'd say with open source it is harder to 'get away' with malicious features, since the code is out in the open.
I guess if authors were to put those features, open nature of their code also serves as a bit of a deterrent sice there is a much bigger possibility of people finding out compared to closed source. However as you said it is not impossible, especially since not many people look through the code of everything they run. And even then it is not impossible to obfuscate it well enough for it not to be spotted on casual read-through.
Accounts that post "verifying code" can also be sock puppet accounts, so it is always good to double check for yourself if you know the programming language, or check the account history to see if they have verified other software from different writers that aren't all connected to each other. Nothing sketchier than a verification ring, where accounts all verify for each other.
This is only an issue if it's only been reviewed by one or two coders with zero history on the repo's host. This is rare for anything that is remotely popular.
In terms of telemetry, free software has the advantage over the proprietary counterpart.
It's a lot more complicated to hide telemetry without the user knowing in free software.
You could always use a network tool, like iftop, to see network traffic on your PC. That could be a way too see if a program is phoning home. But you'll probably want to use a suite of tools.
Tl;Dr: you shouldn't trust anyone or anything blindly or unconditionally. However, open source software and its community offer compelling reasons to trust it over proprietary software.
Technically, if you do not read all of the source code of an application and all its dependencies, you can never be 100% sure that it isn't doing nefarious things. For things that require a connection to the internet, you could monitor all connections to and from the application and its dependencies and see if it is making objectionable connections.
However, in my view, open-source software is in general safer than closed-source software. Open-source software can be audited by any who knows the languages the program is coded in, whereas closed-source software can only be audited by the developer or the few parties they might authorize to see it. Closed-source apps can easily hide spyware because the source code is completely unavailable. Spyware could possibly be missed by the community, but it's still a whole hell of a lot less likely to occur with so many eyes on the program.
And practically, whenever an open-source software gets even close to including nefarious stuff, the community generates a huge hoopla about it.
Also, Google Play Store is not open source! A better example would be F-Droid, which is an app store that is open-source. While I am not aware of F-Droid delivering spyware ala Google, it is still theoretically possible that they could screw up or be corrupted in the distant future. Therefore, we must stay vigilant, even with groups and people we trust. Practically, this just means... check their work once in a while. It wouldn't kill you to learn a programming language; try Python for quick results. What I do is whenever an open-source software is written in a language I understand, I'll pick a few files that look the most important and skim them to see that the program "does what it says on the tin". Otherwise, I'll check through the issues on GitHub for any weirdness.
I haven't even mentioned free and open-source software (free as in speech). I genuinely do not know how to convince people who are disinterested in their own freedom to consider FOSS options, or to do very nearly anything at all. For everyone else...FOSS software respects your freedom to compute as you please. We can quibble about different licenses and if and how effective they are at safeguarding user freedom, but at the end of the day, FOSS licenses are at least intended to give users back your freedom. In my view, it is mightily refreshing to finally take some freedom back!
Tl;dr: Don't download random APKs from the internet, just because they claim to be FOSS. Just get them from F-Droid and you're safe.
Long answer:
Depends on the project. Look how many people use it. If it's a bunch, chances are other people also keep an eye on it. Even better if you get that sofware packaged. That means from the package manager of your linux distribution or - in your case, using Android - from F-Droid. This way somebody from that team has a look at it, and F-Droid even strips all those trackers from Apps. I'd say chances for a virus/spyware getting through the F-Droid process are close to none. Not more than chances are of a virus slipping past Google's antivirus.
(Play Store doesn't do anything against excessive tracking.)
Part of it is automated, part of it is real people looking at the source code. That's done by sampling of course, since it's not feasible to have someone manually look over every new update to every app.
From what I know, F-Droid compiles apps from source so you can be sure that the code you're running is actually made from the source code that it claims to be built from. On most other platforms, the developers could be uploading malicious programs that actually have the code changed from what's shared online as its source code. Then add the fact that other developers can and do look at the code, and what changes are made from version to version.
You shouldn't see trustworthyness or trust as a binary system of full or nothing.
You should assess - to your and the products possibilities - and then weigh risk and necessity and value.
Source exposure makes it more likely people may look at it, without cause or when something seems surprising or questionable. Source available alone doesn't mean you'd see concerns though - you'd need an obvious platform or publicity.
FOSS may be funded and implemented by voluntary work or paid or sponsored, with or without control by the involved parties.
Security scanning is a best effort weighing known and similarity and suspect parts against false positives and user and publisher inconvenience and hindrance. It can't be perfect.
Android Play Store security scanning can only scan for some things I'd consider security relevant and likely largely ignores questionable behavior that does not endanger device security.
Established projects are more trustworthy than those that are not. Personal projects with a clear goal are more trustworthy because of likely hood of good intention and personal interest than those who seem obscure or unclear.
Don't trust blindly.
Safety is a big topic and theme. So such a broad question can only be answered with broad assessment and overview.
It's not an attempt at edginess, but the answer is that in the long run, IT NOTHING is safe. It might be now, it might be for some time, but theres no guarantee that even the most dependable piece of software will get some new update that will break some of its functionality, or the OS will interfere with it, thus breaking it.
FOSS? It's safe as a principle. If anyone has the access to the code, then any suspicious inclusion to it will be spotted quickly and patched up.
You wouldn't know unless it's checked by you or someone you trust, but IMO open source should generally be better cause if you're doing shady stuff you're probably less likely to make it public.
Also projects with lots of activity by different people are usually safer.
A question i always ask myself is, if we can see code on github for example, it still doesn’t mean their release has the same code right? They could actually compile their program with some extra stuff that sends data and just add that version on github release page, but the code itself would be clean on github right?
Yes, however there are ways of verifying that. Compiled programs are not black boxes, they're just complicated enough that we can consider them beyond human comprehension (at least complicated programs), but they're very much readable. Which means programs can check differences between what should be there and what is. Not to mention that you can also compile the code they said they put there and check for differences with what they're distributing.
Is anyone doing that? Don't know, but because it's possible to be verified it's unlikely that people would try to do something nasty.
Edit: I'm talking about official releases on official channels, download binaries from different sources at your own peril since those are unlikely to be checked, and even if someone found differences they could claim patches or different compilers.
It's worth pointing out that reproducible builds aren't always guaranteed if software developers aren't specifically programming with them in mind.
imagine a program that inserts randomness during compile time for seeds. Reach build would generate a different seed even from the same source code, and would fail being diffed against the actual release.
Or maybe the developer inserts information about the build environment for debugging such as the build time and exact OS version. This would cause verification builds to differ.
Rust (the programing language) has had a long history of working towards reproducible builds for software written in the language, for instance.
It's one of those things that sounds straightforward and then pesky reality comes and fucks up your year.
Yes you can tamper the executables if it's you on your pc compiling the code and upload it to the release page...
BUT if you use ci/cd pipelines, you can almost be sure it's not a human who is in charge of compiling. It's a robot who automatically clones the repo, launch the build and upload the artifact to release. It's much more transparent this way
Unless you know how to inspect it yourself (or trust someone who can): No.
Yes, theoretically if someone were to insert malware hooks into Blender, the entire internet would be freaking out. Except... we live in a post truth society and that could very rapidly be astroturfed to the point of "nobody really knows but it is probably fine". A good example in the opposite direction was that chinese (probably?) battle royale game a few years back (Rings of Something?) where, at the height of the BR wars, "somebody" claimed that it involved malware. To my knowledge, it didn't, but it more or less killed the game in the eyes of most people.
That said: Like with anything, what matters is the downstream users. If someone somehow introduced malware to glibc, the entire world would erupt in a manhunt because very significant percentages of the world run on that. Whereas, some closed source proprietary tool with a thousand customers might never notice.
FOSS is more about ideology and what you want the future of computing/the economy to be. Any discussions of "safety" are in the same realm of "security through obscurity" where... yes, it can help but if you are relying on that you are already dead.
There are some very good comments here, here are a few to think on:
With FOSS anybody cant just modify the code that you use, say in my lemmy instance. The code I run comes from the dev's own github account, and they manage the code that comes into the project - this doesn't mean that the underlying code is immune to bugs any bore than closed platforms though, just that more eyes can look for bugs and exploits
With FOSS I can fork a code base and publish that, like I have done with the Alexandrite UI for lemmy. I could insert password sniffers in that cade, and someone could build from that source - but the code changes that I have made are laid out for any one to look at. Again, it doesn't mean the base code is any better than closed, just that more eyes can look