"My app uses open source technologies" and other ways developers lie to you

"My app uses open source technologies" and other ways developers lie to you

By Alexandru-Balan | Pr0gram Failure | 16 Jun 2020


Maybe some of you have encountered this situation in which you want to know if a project or application is free and open-source software. Maybe it's because you want to know if you can trust the app to keep your data private and secure, or maybe you are a developer yourself and want to modify something in the app or create your own, better version. Or maybe you want to be assured that when the company behind the project abandons it, the community can pick it up and breathe a new life into it.

Some companies and developers out there will give you a sweet response in which they'll tell you how much they love open-source and how their app incorporates open-source software.

Hey! Company X utilizes many open-source components, like libraries, block explorers and so forth. We put a lot of effort and time to provide a good quality, reliable product for everyone. However, we keep part of our development in secret, in order to protect our users and ourselves from scammy copycats, phishing and bootleg applications.

45c8ds.jpg

Stop right there Company X, let me interject for a minute

I won't tell you which company is that, let's just say that it rhymes with "Mnemonic Mallet". That's the first kind of lie you'll hear from software developers and software companies, "We use open-source components". Whenever you see this, it should trigger an alarm in your head. Instead of saying that their product is open-source, they try to manipulate the more naive users into thinking it is, without explicitly lying to them.

From time to time you'll see even more elaborate sympathy-jerking responses like this one:

Ever since we launched Product Y, we’ve been vocal proponents of privacy, and we've campaigned against tracking and data collection. Product Y is owned by its employees and we have no external investors pushing for profit. Product Y isn't made available under one unified open source license. But for all practical purposes, the source code is available for audit, only the UI is not included.

"What's all this gibberish?", you might say.

It means that for "all practical purposes" they use open-source software, but the final product is not licensed under an open-source license and it can contain anything from spying features to malware. This type of response makes the naive user think that people who are skeptical of Product Y are conspiracy nuts that can't trust another living soul.

Companies have no soul

A company will always have profit at its heart and that's what will drive all the decisions a company makes. If their product is not open-source it's like that for a reason, a reason most companies out there don't want to say out loud. They do this because there are "features" in their app that they know users will disapprove of.

Let's take a great example to exemplify my point:

Screenshot_20200616_200529.png

This is the GitHub repository where Microsoft publishes the open-source version of Visual Studio Code. A user that's unaware of the fact that downloading Visual Studio Code from the official website downloads, in fact, another version of the app that's proprietary, might think that Microsoft has finally turned the page and they're embracing the open-source philosophy.

Visual Studio Code is a distribution of the Code - OSS repository with Microsoft specific customizations released under a traditional Microsoft product license.

What it means is that they won't compile this code for you. If you want an easy solution, you go to Microsoft's website, download the version that's uploaded there which has "extra code" other than what you're allowed to see. One of those "features" is telemetry, which is a nice way of saying: "We watch what you're doing with the app, and analyze your behavior."

"We keep our app secret for security reasons..."

I'll go deeper into this lie, but the best counterargument one can make is... Windows. How well did secrecy work for it? I guess there's no point in writing about how many security breaches Windows was discovered to have over the years, how many times it made the news when being the main target of massive digital attacks. I'll just say that I WannaCry when thinking about Windows security. Also, no Windows 10 update goes by, without Microsoft braking something for some users. Whether it's deleting files or creating booting failures, their closed-source model is clearly bad when dealing with millions of devices.

If you remember from earlier, Company X (Mnemonic Mallet) tried to sell us the story that in order to keep their app secure they have to keep everything secret. They also claim to want to keep the market free of scammers that might spin their app into something nefarious. Can this happen? Absolutely, yes! Does this happen, though? Yes, it does!

"So Company X is right?"

45c8wu.jpg

No, not at all.

  1. The amount of people falling for this kind of scam is incredibly low.
  2. If a hacker wants to replicate the way your app looks he can do so by looking at the app. There's no need to read the code as it can be replicated.
  3. A hacker doesn't need to make his app work like the original. It's enough for the user to download it and double-click on the icon to get infested.
  4. Encryption algorithms have open standards so, unless Company X reinvented the wheel, their security is already out in the open. The strength of an encryption algorithm stays in the way it works, not in the way it's kept.

What Company X is actually preventing is legitimate developers creating privacy-respecting versions of the original app. For example, when looking at Visual Studio Code, how many apps do you know that look like it, but are actually malware? Probably none, because the incentive to create such a thing is very small. But there are versions of Visual Studio compiled from the GitHub code that respect the user and its privacy; here is just one of them: Vscodium.

"How is it possible for companies to release the code of their app, yet still, give me a proprietary product?"

This is made possible by free and open-source licenses, some of them anyway. It's made possible by what's called permissive licenses like the MIT license or the Apache License. While those licenses allow you to read, modify, and redistribute the code, they don't tell you that you can't do that and slap a proprietary license on the end product.

45c8nj.jpg

Those two popular licenses, MIT especially, are used to sometimes deceive users into thinking they get a free (as in freedom, not necessarily free of charge) and open-source product.

"Is there any license that would prevent such atrocities?"

Well yes, dear reader, there is the mighty GPL, which offers you those 4 freedoms as laid out by the Free Software Foundation:

  1. The freedom to run the program as you wish, for any purpose.
  2. The freedom to study how the program works, and change it so it does your computing as you wish. Access to the source code is a precondition for this.
  3. The freedom to redistribute copies so you can help others.
  4. The freedom to distribute copies of your modified versions to others. By doing this you can give the whole community a chance to benefit from your changes. Access to the source code is a precondition for this.

There are caveats to this license that companies like Microsoft or Mnemonic Mallet don't like, namely, all changes must be released under the open-source GPL (GNU Public License). This means they are unable to take GPL code, create a product with spying features and release it as proprietary software, yet they can do that with MIT code.

"Then why don't more people use GPL?"

Because it would mean that companies like Microsoft or Mnemonic Mallet won't use their code. Amazon is one known company to systematically take MIT code and turn it into proprietary software for its AWS services. Even though this drives funding away from the original projects, developers still care more about publicity and notoriety and if you think I'm wrong you can debate me in the comments. Software developers are a bunch of drama queens, crying when Amazon steals their work but refusing to change the way they license software.

The last lie

Now that we talked about licenses, I'll share with you the last method, companies use to lie to you. Some products categorize themselves as Freeware. In this category fall apps like Google ChromeOperaCCleanerVisual Studio Code(the one distributed by Microsoft). This term is made specifically to confuse. Freeware is not Free Software!. The "free" in Freeware stands for free of charge only, not guaranteeing the user any form of freedom. The "free" in Free Software stands first and foremost for freedom. Free Software can be paid software!


Ending thoughts

It's sad how companies try to profit off people's trust, by hinting at the fact that they're something they're not. It's even sadder seeing fellow developer complacent in this whole situation, lamenting themselves and taking no action. What do you think about those types of situations? Do you just accept them and carry on with your life, or do you take action to try preventing these things, by using the GPL or spreading awareness of those false prophets of open-source?

45cf8l.jpg


Alexandru-Balan
Alexandru-Balan

Happily married to a wonderful woman. Linux enthusiast, software developer and hacker of all things. I may be stupid, but at least I won't try to scam you.


Pr0gram Failure
Pr0gram Failure

A blog dedicated to development subjects that every programmer deals with all the time. Simple things we all google and then ask ourselves "are we even developers?" or things we do when writing software that we are ashamed of and would never share with others. This blog is dedicated to the average Joe of programming.

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.