this post was submitted on 17 Nov 2023
30 points (82.6% liked)
Open Source
31250 readers
246 users here now
All about open source! Feel free to ask questions, and share news, and interesting stuff!
Useful Links
- Open Source Initiative
- Free Software Foundation
- Electronic Frontier Foundation
- Software Freedom Conservancy
- It's FOSS
- Android FOSS Apps Megathread
Rules
- Posts must be relevant to the open source ideology
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon from opensource.org, but we are not affiliated with them.
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
It wouldn't matter much.
Most of what a bank does isn't on your phone, but server side.
In fact most bank apps could be replaced with an internal web browser that is pointing at their website, and a password manager, with no loss in functionality or change in security.
And if you'd like to review the client side code the bank is using you can just open dev mode in your browser, right now.
Are there any downsides to opening up the server-side code too? Would it also compromise other banks' security, since these banks need to interoperate?
It would be unwise for a bank to publish its exact fraud detection and risk management policies, otherwise they could be easily circumvented. A lot of these policies will be embodied in their internal backend services.
Someone will now inevitably mention "security by obscurity". But Kerckhoff's Principle is specifically about cryptosystems which should derive their security solely from the strength of the keys. That way, confidentiality is still ensured even when details about the cryptosystem become known to adversaries.
But non-cryptographic aspects of security benefit from asymmetric knowledge, from grey areas, from increasing risk for adversaries.