Nobody on my post asking for controversial privacy topics asked this question, but I feel I should cover it anyways. People sometimes assume that software is safe simply because it is open source. That is a misconception, and I would like to cover that in this post.
What does "open source" mean?
When software is "open source," it means that the developers have made the source code for the software public and allows anyone to help contribute to the code, or create their own versions of the software based on the source code. By contrast, proprietary software is software that has not made the source code visible to the public. There are similar terms to open source, such as "source-available," "open-core," and "libre," which I won't cover in this post. For the sake of simplicity, any source-available software will be called "open source," since the specifics don't quite matter for the majority of this post.
What are the benefits open source software?
Open source software provides many benefits over proprietary software:
Code auditing: Because anyone can inspect the code, anybody can look for vulnerabilities or invasive code to make sure that the software is safe. With proprietary software, the developers would have to hire a third party auditor to inspect the code. That means you have to trust the auditor, and you have no way to verify first-hand that the code is safe.
Bug reporting: While both open source and proprietary software have bug reporting systems, open source software tends to have more thorough and transparent bug reporting. Bug reports are generally on a public issue tracker such as GitHub, which can also help prevent duplicate bugs from being reported. Having these reports public also makes the next benefit easier:
Bug fixing: Anyone can contribute to open source software, which means the workload is distributed. Instead of a small team of developers being the only ones working on the software, anyone can look at the public issues and code their own fixes for the software.
Resurrecting projects: Both open source and proprietary software can one day stop being developed. Even big companies such as Spotify can retire software, which can lead to hardware devices becoming unusable or insecure. (The code for Car Thing has been reconstructed, by the way.) Open source projects that fall out of development can easily be forked and maintained by a new developer. It's rare to see proprietary software handed off to a new owner.
Accountability: Open source projects hold the developers directly accountable for any vulnerabilities or invasive code, meaning the developer's interests are aligned with its users and not malicious purposes. This also incentivizes creating code without paywalls, since anyone could release a version of the code with the paid features "unlocked".
However, even with all these benefits, open source software isn't perfect.
Why has proprietary software become so popular?
Since ads and paywalls can generally be removed from open source software, it doesn't make it a very appealing choice to for-profit organizations. Generally, these organizations want to monetize and control their software, which means injecting ads, paywalls, and other invasive elements. This is done most easily if the software is proprietary.
It's also rare to see open source software becoming so popular, because generally open source software receives its funding from donations and doesn't have the budget to advertise the software. There are exceptions, such as OBS Studio or Blender, which have mostly become the most popular software in their categories.
Is open source software safe?
There is another downside to open source software that many people don't talk about: it is much easier to exploit than proprietary software. Because all the source code is visible to the public, it makes it easy for malicious parties to craft vulnerabilities. Proprietary software is generally a stab in the dark until a vulnerability is found, since you can't see exactly how it was coded.
Software being open source does mean that it becomes more likely to find and fix vulnerabilities, but being open source doesn't automatically make software safe. Which device do you think would be more likely to obtain a virus, a device running (stock) Android or a device running iOS? You're most likely more inclined to say the device running (stock) Android is more likely. Android at its core is open source. While correlation is not causation, and there are other factors at play, it's much easier for someone to try to craft a malicious app for Android than for iOS because of its open nature.
Proprietary software isn't automatically safe, either. It can be just as vulnerable as any other software. However, open source software has the potential to become much more secure than proprietary software, simply because more people can find and fix vulnerabilities. That's probably why Apple open sourced their Private Cloud Compute code before launching a bounty program for it.
Anyone can code malicious open source software. It's riskier, since it's more likely to be noticed, but it's still possible. Microsoft could open source Windows one day, and it wouldn't make it any more safe until somebody identified and fixed the issues. Open source software doesn't automatically make something private or secure, but it does provide integrity, because the developer is showing that they will be accountable for any malicious or vulnerable code, and that anyone is free to look through the code.
Final notes
I hope this gives you a better idea of what it actually means if something is open source. Even unsafe proprietary software can be run safely under the right conditions. If your threat model requires you to use as much open source software as possible, I made my own list of open source software called Open Source Everything that you can look through. I hope you enjoyed reading this!
- The 8232 Project
Most of the "Is open source software safe?" section of this post seems to advocate for what's conventionally called Security Through Obscurity, which is widely considered very ineffective at preventing exploitation and at best a minor hurdle.
There are a lot of differences between Android and iOS in terms of security, attack surface, and exploitation, but attributing that to open vs closed-source completely misunderstands the entire subject. For just two of the countless reasons: Many of the worst vulnerabilities that affect Android devices are in closed-source proprietary Qualcomm firmware. A platform being open in the sense of allowing users to install any application they want to (like Windows and Android to a limited extent) or closed off to prevent installation of unapproved software (iOS, PlayStation, Toyota cars, TiVo, etc.) is completely separate from whether that platform is open-source or not. GPLv3 has license terms that try to tie the two concepts but I chose examples that don't use it at all. Also, iOS has public kernel source code.
I was trying to avoid making it sound like iOS was more secure in that because it's proprietary. The claim I was trying to make is that open source software isn't necessarily more secure than proprietary software and being open source can make it easier to craft an attack compared to if it were proprietary. I also mentioned that there are, of course, more variables at play, such as sideloading.
In my eyes, security via obscurity is a deterrent, not a solution. It can help prevent attacks or make attacks harder, but it doesn't fix the underlying issues.
I actually didn't know this! Thank you, I learned something new today :)