• Excrubulent@slrpnk.net
    link
    fedilink
    English
    arrow-up
    44
    ·
    6 months ago

    The whole point is that at some point somebody can check, and you can have a higher level of trust in that than proprietary software.

    And if someone does something like this then it has to be disguised as an innocuous bug, like heartbleed, they can’t just install full on malware.

    It’s a different beast entirely.

    • Jako301@feddit.de
      link
      fedilink
      English
      arrow-up
      19
      ·
      6 months ago

      If we are talking about bigger projects with hundreds of thousands or millions of downloads, than this may be true. But smal scale projects have so few people actively looking through them that even to automatic scan done by the playstore has a higher chance of catching malware. It doesn’t even have to be bad intent, two years ago there was a virus propagating trough the Java class files in minecraft mods which reached the PCs of quite a few devs before it was caught.

      I don’t dislike FOSS, a lot of the apps I use come straight from github, but all this talk about them beeing constantly monitored by third parties is just wishful thinking.

      • Excrubulent@slrpnk.net
        link
        fedilink
        English
        arrow-up
        2
        ·
        6 months ago

        Okay, but that’s a different claim than that you have to personally vet and compile every single thing you use, which is what I was responding to.

        Open source isn’t perfect, but it is objectively and obviously better than closed.

        • Jeena@jemmy.jeena.net
          link
          fedilink
          English
          arrow-up
          2
          ·
          6 months ago

          My whole point is that you can not point to a 3rd party checking for you and claim that it secure because someone else already checked. And I brought two examples which contradict this claim.

      • Miaou@jlai.lu
        link
        fedilink
        English
        arrow-up
        2
        ·
        6 months ago

        I’m not sure you’re understanding the argument: you cannot monitor closed source, therefore, you have at least as many eyes looking at my random crap on github as you do on the random crap some companies are doing.

        • Jako301@feddit.de
          link
          fedilink
          English
          arrow-up
          4
          ·
          edit-2
          6 months ago

          And you didn’t understand what I said. While you can not monitor closed source at the code level, you definitely can monitor the apps behaviour. Even the automatic threat protection from the playstore protect function is worth more than the measly amount of people looking through smaller projects codebases.

          I hate Google with a passion, but with all their control over android devices, they are more than capable of scanning apps for malicious behaviour and automatically removing them. These few apps in the article are the 0.01% of malicious apps that their algorithm didn’t detect.

    • dalakkin@lemmy.world
      link
      fedilink
      English
      arrow-up
      8
      ·
      6 months ago

      There is no guarantee that the released app is exactly the same as the source code when getting it on Google Play. You’d have to decompile or compile from source and try to compare.

      Using F-Droid is good alternative.