Is That App Open Source?

A modest proposal:

Give mobile device users the option to see which apps are open source, when browsing in app stores, and the option to know that the open source app they’re installing was actually built from the publicly-accessible source code it claims to be built from.

Right now, when an app is labeled “Free”, you have no way of knowing whether that means “no fee to download” or actually means “open source” [1]. Usually it’s the former, but not always. For example, in Android-land’s default online app catalog, Google Play, here is what “Free” looks like:

The Google Play Store, with the open source badge option turned off.

Which of those are open source? How would you tell?

But if there were an option in Settings, to display the OSI logo for apps distributed under OSI-approved licenses, then it would be easy:

The Google Play Store, with the open source badge option turned on.

The setting wouldn’t have to be the default (although it’d be great if it were). Those who care can turn it on, and they’ll see the OSI-approved badge next to apps that are open source. Maybe touching the logo could take the user to more information, such as a page showing the specific license, the app’s home page, the exact version of the source code and the build configuration that would be behind the app that gets downloaded if the user clicks “Install”, etc.

Why do I care?

I strongly prefer to install open source apps on my Android devices. When software is open source, I know it will always be maintained as long as it has a user base, and that no one can ever shut it down or take it away. This makes me much more willing to depend on it and invest time in learning it. Because I know other parties are making the same calculation — especially vendors who can provide third-party support — there’s a positive feedback loop, a virtuous circle that ensures I will never be p0wn3d by someone else’s monopoly over the code that runs on my devices.

Furthermore, from a security and trust perspective, in many cases I’d like to be able to know that the app I’m installing is directly derived from the published source code. Although open source is no guarantee that the code has been vetted, it raises the chances that the code has received some scrutiny, and it at least enables people to take responsibility (or outsource responsibility) however they want to, instead of leaving them in the position of simply hoping that an app has not been maliciously rigged.

Before app stores came along, figuring out whether software was open source was pretty easy. You could look at its documentation, visit its web page, ask your operating system’s package management tool, simply make sure to obtain it from sources known to provide only open source software [2], etc.

So the question “Is this open source?” was generally easy to answer, as were the related questions “If it’s open source, where’s the development site? Where’s the bug tracker? Where’s the development community? Where can I get third-party support?”

But mobile app development culture isn’t there yet. I think there are two main reasons for this:

First, app developers have only partial control over how their apps are presented to users: presentation is now centralized in the app stores, so the store admins determine a lot.

Second, the app store way is that users pay a small fee (sometimes zero, but often in the $1 to $5 range) for downloading an app, and the stores haven’t yet made it easy for people to pay that fee even for apps clearly labled as open source. Depending on how you look at it, the fee would then be either a donation, or a convenience fee instead of a license fee. It could also have a set-your-own-price option, so that the app developers don’t have to decide in advance what people are willing to pay. In any case, there’s no reason open source developers shouldn’t have a chance to make it easy for users to send them money (and yes, people really will) — it’s just that the app stores haven’t provided a mechanism for it yet, because they’re not yet distinguishing between “no fee required” and “freedom”.

The ability to at least see open source would be a good place to start.

Thoughts?

[0] Disclaimer: I’m a former director at the Open Source Initiative, but in this post am speaking only for myself. I think this might be an interesting idea for the OSI to push for, though! Comments welcome.

[1] In this context, the term “open source” is synonymous with “free software”.

[2] The Debian GNU/Linux operating system makes this particularly easy, by providing open source packages by default, offering non-open-source ones via a clearly-labeled alternate route, and offering vrms so you can get a licensing report at any time.

7 comments

  1. Have you seen F-Droid? It attempts to address part of this problem but there is a lot of work needed before it could be mainstream.

    Some kind of OSI-endorsed app which provided an alternative index into the Google market would be a nice trick too, and probably not too hard to do, with the actual classification work being crowd-sourced. F-droid’s database would probably make a good starting point, too.

    Cheers,
    Andrew McMillan.

  2. Except… I don’t care if the app costs nothing. And I don’t think all Open Source apps will be costless. In fact, I prefer to pay for them if there’s an option for that.

    But I care very much if the app is Open Source. So many apps do so many sneaky and underhanded things behind your back. I want to know that I can verify that your app doesn’t do those things.

  3. I know it’s just a mock-up, but (for example):

    Tiny Open Source Violin – “open source” yes, but no license at all
    MyTracks – most of the code is distributed under the Apache License, but libgoogleanalytics.jar, which comes with it, is not
    OpenGPSTracker – requires that you have the proprietary Google Maps application installed, won’t run without it (although there is a version that will, using OpenStreetMap, available in F-Droid)

  4. @Omnifarious:

    I’m with you. I think we’re looking at one of those situations where relatively small infrastructure tweaks could have a huge impact on the economics of a whole class of developers. Right now, with app stores, we essentially have operator billing (with all the convenience and fast decision-making on the part of the user that that implies), but with open source developers somewhat frozen out, because there is a) no clear way for them to communicate to the users that the apps are open source, and b) no way for them and the user to have a conversation — that both sides would like to have! — about payment choices, say through user-set pricing. I’d pretty much always pay too. I know we’re not alone, and we don’t even need to be a majority for this to work.

    @CiaranG:

    Thank you — very good points. I didn’t follow Tiny Open Source Violin into its detailed description.

    Some of those issues are similar to, e.g., open source software that runs on MS-Windows (or on any proprietary platform): it still depends on proprietary modules that are part of the underlying OS.

    With Android, the definitions are a bit fuzzy. Is the Google Maps application part of the OS? Well… sort of, sort of not. Chances are it was on the phone by default at the time the device was acquired, but in theory it could be removed.

    So we’d have to have a reasonable definition for use of the logo. I think if all the code that is shipped for the application in question is under an open source license, and only depends on base OS functionality or on apps that the vast majority of devices ship with, it’s reasonable to label the topmost app open source. Perfection is going to be rare, but we can get most of the dynamics of open source here. Maybe clicking on the logo could bring up a more detailed explanation (written by the authors, not by the app store).

  5. This is a great article. I was just wondering the same thing today. Sad that it’s now 2.5 years past the date of your post and the problem still persists. Thanks for writing, though.

  6. F-Droid is an installable catalogue of FOSS (Free and Open Source Software) applications for the Android platform.

    Then there are fossdroid.com and droid-break.info

Leave a Reply

Your email address will not be published. Required fields are marked *

Rants.org Comments Policy

eight + two =