- rants.org - https://www.rants.org -

Is That App Open Source?

A modest proposal:

Give mobile device users the option to see which apps are open source, when browsing in app stores, and the option to know that the open source app they’re installing was actually built from the publicly-accessible source code it claims to be built from.

Right now, when an app is labeled “Free”, you have no way of knowing whether that means “no fee to download” or actually means “open source” [1] [1]. Usually it’s the former, but not always. For example, in Android-land’s default online app catalog, Google Play [2], here is what “Free” looks like:

The Google Play Store, with the open source badge option turned off. [3]

Which of those are open source? How would you tell?

But if there were an option in Settings, to display the OSI logo for apps distributed under OSI-approved licenses [4], then it would be easy:

The Google Play Store, with the open source badge option turned on. [5]

The setting wouldn’t have to be the default (although it’d be great if it were). Those who care can turn it on, and they’ll see the OSI-approved badge next to apps that are open source. Maybe touching the logo could take the user to more information, such as a page showing the specific license, the app’s home page, the exact version of the source code and the build configuration that would be behind the app that gets downloaded if the user clicks “Install”, etc.

Why do I care?

I strongly prefer to install open source apps on my Android devices. When software is open source, I know it will always be maintained as long as it has a user base, and that no one can ever shut it down or take it away. This makes me much more willing to depend on it and invest time in learning it. Because I know other parties are making the same calculation — especially vendors who can provide third-party support — there’s a positive feedback loop, a virtuous circle that ensures I will never be p0wn3d [6] by someone else’s monopoly over the code that runs on my devices.

Furthermore, from a security and trust perspective, in many cases I’d like to be able to know that the app I’m installing is directly derived from the published source code. Although open source is no guarantee [7] that the code has been vetted, it raises the chances that the code has received some scrutiny, and it at least enables people to take responsibility (or outsource responsibility) however they want to, instead of leaving them in the position of simply hoping that an app has not been maliciously rigged.

Before app stores came along, figuring out whether software was open source was pretty easy. You could look at its documentation, visit its web page, ask your operating system’s package management tool, simply make sure to obtain it from sources known to provide only open source software [2] [8], etc.

So the question “Is this open source?” was generally easy to answer, as were the related questions “If it’s open source, where’s the development site? Where’s the bug tracker? Where’s the development community? Where can I get third-party support?”

But mobile app development culture isn’t there yet. I think there are two main reasons for this:

First, app developers have only partial control over how their apps are presented to users: presentation is now centralized in the app stores, so the store admins determine a lot.

Second, the app store way is that users pay a small fee (sometimes zero, but often in the $1 to $5 range) for downloading an app, and the stores haven’t yet made it easy for people to pay that fee even for apps clearly labled as open source. Depending on how you look at it, the fee would then be either a donation, or a convenience fee instead of a license fee. It could also have a set-your-own-price option, so that the app developers don’t have to decide in advance what people are willing to pay. In any case, there’s no reason open source developers shouldn’t have a chance to make it easy for users to send them money (and yes, people really will [9]) — it’s just that the app stores haven’t provided a mechanism for it yet, because they’re not yet distinguishing between “no fee required” and “freedom”.

The ability to at least see open source would be a good place to start.


[0] [10] Disclaimer: I’m a former director at the Open Source Initiative [10], but in this post am speaking only for myself. I think this might be an interesting idea for the OSI to push for, though! Comments welcome.

[1] [11] In this context, the term “open source” is synonymous [12] with “free software”.

[2] [13] The Debian GNU/Linux [14] operating system makes this particularly easy, by providing open source packages by default, offering non-open-source ones via a clearly-labeled alternate route, and offering vrms [15] so you can get a licensing report at any time.