Open source is not possible

Open source and free software are based on the idea that you can inspect the source code, modify it and from a security perspective - be reasonably sure that what you're running is the same as what is in the published source code. But is that even possible? I have been ranting about this subject for a while now, and I think it's time to put it down in writing. In short, my position is that you can't really call something open source for any of the large mobile platforms. For laptops, the situation is better, although not without caveats.

What is the reason we care about open source from a security and privacy perspective? There are two big reasons - first, we want to make sure that algorithms and protocols have been implemented correctly. Secondly, and more importantly, we want to be reasonably certain that the code doesn't contain any backdoors of any kind.

On most computers, we can compile all our own programs. This makes it more likely that the source code and the binary correspond to each other, and if there are no backdoors in the source, there are no backdoors in the binary. This capability of compiling the code on the same machine and in the same environment as we are running it, and then directly running it, is very powerful. It is not perfect of course - there can be other components on the computer that inserts backdoors either at compile time or at runtime. But if we can assume a non-hostile compiler and runtime environment, we know that the connection between source and binary is correct. Reproducible builds and distributed signatures can be very helpful in order to further solve this problem.

Sadly, this is simply not true on the major mobile operating systems. On both Android and the iPhone you can't really download source code, compile it and then run it - you have to go through the app stores. The only way around this is to root your device and use one of the alternative app stores. But rooting your device also opens you up to a lot of other kinds of attacks, so it isn't really a good recommendation for most users.

There are many open source applications out there that are published in the app stores. However, since you can't tell whether the binary installed from the app store correspond to the published source code, I would argue that you can't actually call this open source at all. From the perspective of security, we just don't get the guarantees that we are used to from open source in these environments.