Many people believe that open-source password managers are more secure. Because anyone can read the source code. If the developer does anything bad, we all can see it.
Is it true? To figure it out, we need to zoom in on how source code turns into an app.
In computing, source code is any collection of code, with or without comments, written using a human-readable programming language, usually as plain text. The source code of a program is specially designed to facilitate the work of computer programmers, who specify the actions to be performed by a computer mostly by writing source code.
The source code is often transformed by an assembler or compiler into binary machine code that can be executed by the computer. The machine code is then available for execution at a later time. Source code on wikipedia
Open source is source code that is made freely available for possible modification and redistribution. Open source
Do not misunderstand me. This article does not attack open source. It just tries to figure out the rationale between open source and the security of password managers.
As you know, we cannot run the source code directly. The source code should be baked into an app first. Then we install the app on the device and launch it.
Except for a few geeks who run apps built by themselves, most users just download apps from app stores.
So how do developers turn the source code into apps on app stores?
graph LR Source([1. Source code]) --> Build --> App --> Upload[Upload to app store] Libraries([2. Third-party libraries]) --> Build Builder([3. Build tools]) --> Build
We need these three essential components to build an app.
Source code. The developer writes the source code to implement the app features.
Third-party libraries. Users might not be familiar with them. Nowadays, apps are so complicated that almost any app needs many components(source code or SDK) offered by third parties to implement its features. Trackers reported by Security researcher recommends against LastPass after detailing 7 trackers are examples of third-party components to help developer tracker users behaviors.
Build tools. Computers and smartphones execute binary machine code. Build tools translate the human readable source code into machine code and assemble the code into an app.
If flour is the source code, yeast, water, and salt are third-party libraries, and the oven is the build tool. The dough gets in, and bread gets out :)
After zooming in, we can find out that there might be risks in these hidden corners.
Is the source code for building the app exactly the same as the opened source code?
In 2019, Disclosure: Key generation vulnerability found on WalletGenerator.net—potentially malicious. pointed out, It was recently brought to our attention that the code being served via the WalletGenerator.net URL did not match the code on GitHub.
Vulnerabilities or even malicious code in third-party libraries.
Security issues of open source supply chain are becoming rather hot in recent years.
In 2014, the Heartbleed bug was found in OpenSSL, the security foundation of most Internet websites, and the issue had been there for 2 years.
Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.
Log4Shell, one of the highest severity vulnerabilities (CVE-2021-44228, CVSSv3 10.0) disclosed in 2021, impacted 93% of all cloud environments, according to Log4Shell 10 days later: Enterprises halfway through patching. Hackers who exploit the 20-year-old bug might do anything on the server, from stealing passwords to money loot.
In 2022, Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps reported, The developer of these libraries intentionally introduced an infinite loop that bricked thousands of projects that depend on 'colors' and 'faker.' Even tech giant like Amazon AWS was infected too.
End-users may suffer if third-party libraries containing malicious code are used in open-source apps.
Hacked build tools.
In 2015, Thousands of iOS apps infected by XcodeGhost, including WeChat, CamScanner, and many most popular apps in China. See also XcodeGhost Malware Infected 100+ Million iOS Users and Apple Said Nothing. The infected apps stole data in the app and sent them to servers controlled by the hacker.
Later in 2020, A new Mac malware, tracked as XCSSET, spreads through Xcode projects and exploits two zero-day vulnerabilities, experts warn. In 2021, New macOS Malware XcodeSpy Targets Xcode Developers with EggShell Backdoor. Apps affected by the malware can smuggle passwords, record audio, video, and screen remotely.
Since there are hidden corners in the development process, as normal users, it is pretty hard to ensure that open-sourced password managers are absolutely safe.
Can users find out vulnerabilities by examing the source code? Very unlikely.
OpenSSL and log4j were used widely in almost all the big tech companies. But none of them found the vulnerabilities in time. Surprisingly, the log4j vulnerability existed for about 20 years...
Do normal users really take time to examine the source code password managers? They are not security experts, let alone experts in the password management domain. It is unlikely to find vulnerabilities even though they do examine the code.
On the dark side, if a hacker finds some minor errors, they might take the chance to check whether they can be exploited. It will be much easier since the hacker can modify the source code and debug the app if the source is available.
The best way to mitigate this risk is to encourage white hats to discover vulnerabilities as early as possible and fix them in time by offering a fund reward.
Open source helps lower down software development costs dramatically and improve transparency. It is critical to the software ecosystem. However, if users blindly believe in
open source = security, the
open-source marketing, without understanding the PROs and CONs, it is only a false sense of security.