Let’s say, I create a bank with the caveat that all of my banking phone apps and webapps are FOSS (or if they depend on non-free components — banks probably do to communicate with each other —, then just OSS). Am I going to be behind the competition by doing this?
If the most secure crypto algorithms are the ones that are public, can we ensure the security of a bank’s apps by publicizing it?
Are they not doing this because they secretly collect a lot of data (on top of your payment history because of the centralized nature of card payments) through these apps?
EDIT: Clarifying question: Is there a technical reason they don’t publicize their code or is it just purely corporate greed and nothing else?
What incentive would a bank have to release their apps as FOSS?
You probably could create an open source banking app and use it to run a bank on a primarily open source software stack. But banks are not software companies, and they have no reason to engage with the FOSS world. We could think up lots of potential reasons for why a bank might not want to release their apps as FOSS, but the simplest answer is “why would they?”
I’d love to live in a world where free software is the norm, but we’re not in that world. So if the bank has no incentive to do it other than the comparatively niche interests of the FOSS community, they just won’t do it.
There is also a lot of “security by obscurity” in the corporate/fintech world - “it’s open source so everyone can see the code which makes it less secure”. The inverse is often true thanks to Linus’s Law.
The inverse is often true thanks to Linus’s Law.
The article you linked seems to suggest that Linus’s Law is a mere suggestion, at best.
No one is suggesting that open source is inherently less secure, just that the vulnerabilities are easier to find, and thus easier to get exploited. For a third party reviewer there’s a lot of incentive not to report bugs they would find in banking software.
No one is suggesting that open source is inherently less secure
Unfortunately, I’ve met a number of people who genuinely do believe this! The same demographic who don’t know how copy and paste works or take photos of stuff on their monitor instead of print-screening and tend to end up running large corporations even though they’re completely out of touch.
If your software makes your clients’ life easier and your internal operations cheaper/faster/whatever, it’s a competitive advantage. Why would you give it away? Corporate greed or healthy competition, I suppose, depending on your point of view.
Like, literally. That’s their job description.
As long as the bank has a good API, there’s nothing stopping anyone except money.
There is a cost to making a good app. And banks have no incentive to open source their current apps - if it’s any good it’s a competitive advantage.
For example - I’m currently using a bank because their app is awesomely good (compared to other banks). Why would they open source it - it means customers might go to other banks who do better on interest rates, or fees.
Thanks to PSD2 most european banks have APIs, so there isn’t actually any requireent to use the bank’s apps anymore.
Tell me more? Are there opensource banking apps that work or can for example gnucash use these APIs?
Absolutely, you are the company paying for all the work of the FOSS app, having to ensure it meets FCC regulations for banking. It’s a huge mess. Costs millions to do. Pull requests can’t just be taken they must be studied by several teams and a lot of the time it’d be easier and better if that code came internally so you’d be able to directly communicate with the author. That said FINOS exists, https://www.finos.org/ They are more about adopting the usage of open source libraries rather than writing their own though.
Overall you’d get no to little benefit and lose a competitive edge while causing more technical headaches following standards to open source your code.
I don’t know of anything stopping banks from creating FOSS apps, but since it’s not their area of expertise, I think they’re more likely to license an app from a provider, and existing providers don’t have a compelling incentive to open-source their apps.
If we want FOSS banking apps, I think the first and most important step would be legally requiring banks to provide standard APIs.
something something something, security by obscurity (of source code)
License bullshit. Already had a call with a smaller sustainable bank (GLS) and they are mostly totally dependend on bigger mother banks and their weird security ideas
Am I going to be behind the competition by doing this?
Yes, because you are due a lot more diligence with open source, and that will slow down your releases.
If the most secure crypto algorithms are the ones that are public, can we ensure the security of a bank’s apps by publicizing it?
You trade security by obscurity for security by expert oversight. I’m not a lawyer or baking auditor, but I’d say while zero-days are problematic for open source software projects; they can be life-ending for banks.
Is there a technical reason they don’t publicize their code or is it just purely corporate greed and nothing else?
This is a false dichotomy. Financial reasons to not publicize the code are technical reasons. Finance is technical.
