Security-wise: closed-source tech giant app vs FOSS of a single developer

What app is more likely to have severe security vulnerabilities not found by devs or unpatched for a long time:
• closed-source app of a tech giant, e.g. Google
or
• FOSS app of a single enthusiast? e.g. GitHub - FossifyOrg/File-Manager: Easy app for managing your files without ads, respecting your privacy & security (all other contributors seem to submit just translations).

Not enough info but I will say I’m not comfy giving all my files to a third party app.

Basically Google Files vs the Flossify File Manager, if we need a specific example.

Short answer: it just depends

Long answer:

I’m putting on my security hat and not my privacy hat.

The security of an application and the risk it poses depends on the permissions it needs. If I had an application that required no significant permissions to my device (and my OS allows fine grained permissions per application), then I’d probably say it doesn’t matter.

If the application is not network based, then the security threat is going to be based on someone having physical access to your phone, your phone already being compromised, and ensuring that the application isn’t malware of some kind. In this scenario, I’d say this is likely how much your trust the source of the application. I’d imagine a tech giant app is going to be relatively secure in this regard, and an FOSS application will be hard to sneak malware in as the code is quite publicly visible.

If the application is network based, then the security involves that the network communication is secure and does not compromise your device. This is where further discussion would be needed with specific examples.

Basically Google Files vs the Flossify File Manager, if we need a specific example.

I imagine Google Files to be plenty secure (I generally assume Google has a decent baseline level of security and reasonable updates) with some integrations to Google itself. Unsure if network based.

Unsure of how mature the Flossify File Manager is. Looking at the inception of Fossify seems to show its the FOSS fork of SimpleMobileTools that seemed to have sold out, so the reputation seems fine enough.

Given the Flossify File Manager is offline, I’d personally say the risk of security breach is quite low (?), so its probably fine to trust for a threat model where you aren’t worried about physical device compromised. If that is your worry, then you should consider if it the application handles file encryption to your needs.

I answered the above to provide context for what I will say below:

I think this question is generally too vague and really not going to have a good answer.

  1. Security vulnerabilities aren’t binary - there are levels to the severity. Different applications have different level of vulnerabilities. There is no one blanket fits all assessment for Closed Source Tech Giant App vs FOSS Single Maintainer App.
  2. The best you can come up with for 0 day vulnerability risk would be to take all factors into consideration and build some sort of model that predicts the likelihood of such a vulnerability. This would be a combination of the code base size, code complexity, frequency of updates, previous known vulnerabilities for the entity, and probably more.

In this case, I think you really wanted to ask to compare Google Files vs the Flossify File Manager. Over generalizing the decision from these two might lead to unintended choices.

Lastly, without a specified threat model, the possibilities become boundless and hard to make a decision. It might be good to provide what vulnerability you are trying to protect against, and it might end up not mattering which one you choose, and you can then choose based on how much you actually like the application.

Or if you want FOSS but are worried about a single maintainer, why not look for a FOSS app that has more resources as of today: maybe the Amaze File Manager? I haven’t vetted that myself, but that was just an example that seems to have more devs working on it, and has been around since 2014 (vs Flossify File Manager being around since 2022 and the first release on January 6th this year?)

3 Likes

Fossify specifically is a fork of the Simple Mobile Tools that was created when Simple Mobile was bought, so it’s been community developed and i think Fossify is a community project as well, just helmed by one person doing alot of the work right now.

2 Likes

I read a thread from recommendations

It seems I should better lean to tech giants or highly popular FOSS with many eyes watching. So the chance someone indeed cares about security is higher. At least making sure that libraries with severe CVEs are updated.
AmazeFileManager looks like one I can trust.

Regarding threat model, I consider remote attacks, not physical access. I skip apps with no updates for >1y, simply to “stay updated”. I don’t know technicalities of it, just follow general safety recommendations like this. Exploits can be bizarre and you would never guess it’s even possible to hack this with that.

1 Like