Where can I submit an application to be vetted?

I don’t know if this is a thing that exists, but I’ll describe my idea.

Is there a site, forum, or community where people can request for open source projects to be vetted and knowledgeable people from the community who have been vetted themselves take up the requests that interest them?

I ask for people like me who are not technical. We only have so many ways to gauge the trustworthiness of an application. Is it widely used in the privacy space? Is it widely used at all? Is it open source? What’s the history of the project; do they have any scandals? What red flags are there that are important to know about depending on your threat model? All of these are good questions that should be asked by anyone, but they have one thing in common - they are not asking about the code itself. Because I can’t code, I can’t tell whether something is safe or not. I need other people to tell me.

This is not a problem for popular applications. As an example, Bitwarden is open source, has been audited, and as recently as last week has been poked at by security researchers. But what about smaller projects that don’t get the same amount of attention?

Here’s an app that has peeked my attention: Trail Sense. It’s a compass and survival app that, according to their GitHub, “must not use the Internet in any way, as I want the entire app usable when there is no Internet connection”. Super cool, right? But is it safe? I want to say that it probably is, but with only 10,000+ downloads in the Google Play store, this is an instance of an app being unknown enough to fly under the radar, which means I don’t know if it’s gotten the attention of people who could take a look under the hood and verify that it’s all good.

Side note: Trail Sense looks really cool and I don’t mean to throw any shade at them at all! Literally everything about the app gives me a good vibe from a security and privacy perspective. Just using it as an example.

If there was a forum where technical people hang out that also had a mechanism for submitting applications for review, folks like me could quietly ask for apps to be reviewed with the hope that someone will take a look, maybe provide a report on what they see, and then that report can be logged for future reference. Ideally I’m imagining something more formal than just a reply that says “looks good”.

Exodus seems to be the closest thing to what I’m looking for - they literally have Trail Sense listed, which I only checked after I wrote all of this, lol. But it doesn’t seem to have a way of requesting applications to be reviewed; only a way to submit your own analysis. Also, it’s limited to Android apps whereas I may have questions about desktop apps or browser extensions. There could also be more to discuss than just trackers and permissions.

So is there any place like that? :sweat_smile:

What your talking about would be great, but you would have to have trust in the security and privacy audit. Trust is built up through acceptance, for example Google Play states it is safe enough for you to use. Viewing the permission your operating system is showing you this is safe if you agree to this. Layers.
The privacy and security audits would be the exact opposite working back to the programming language.
If you look at how you would trust the Browser privacy test, in a recent techlore video. Your looking at maybe 20 apps, each browser an app. Then factor in plug ins, setting changes and your looking at millions of combinations. You absolutely can break the privacy and security of an app, as well you can make about any app safe to use.

Link back to Techlore Video.

PrivacyTests: https://privacytests.org/
Testing Site: Privacy Protections Tests

Unless it is well documented, I don’t think even a developer can tell if a code is safe. I think the stuff you listed above are more important than the code itself (and code can change).
You may find this helpful.

That’s why in my mind it would be important that whoever is doing the audit be shown to be trustworthy in some way. More than likely I’m imagining public security researchers who have a reputation who would be doing this, but that’s a tall task to think that someone like that would want to do more of that on their free time. Maybe not, I don’t know. If the person doing the audit is trusted, then I don’t have a problem accepting their recommendations, just like I try to watch for trusted YouTubers, organizations, or online resources to make recommendations.

Isn’t the point of security audits to look at the code and examine the application itself? If going through the documentation is where the magic happens, I could potentially read that myself. To your point, though, it probably would be too technical for to understand. Even having a researcher make sense of the documentation would be helpful I guess.

I reflect back to browser privacy test posted previosly. Open source test which can be completed by an individual and audited by anyone.
We had some real fun here a while back checking out various browser VPN service combinations with a test, to compare what was leaked.
If you could have a simple GUI which showed a pass or fail report on what your apps were leaking to who then i think that would be cool to check out.

1 Like

I think @404 meant the internal documentation (i.e., comments). A lot Most of the code in FOSS projects, especially the smaller ones, isn’t the cleanest and most readable thing. Even an expert could struggle if it were written in such an unconventional way and lacked proper inline comments.

1 Like

Let’s not forget the toxicity and bigotry in open source space, the developers/community could get egoistic and bigoted enough to ignore the issues highlighted by the said security auditing group.

I know that this exists, but I fortunately haven’t seen it. However, that could be something that comes with the job, ie you shouldn’t sign up for it unless you’re at least somewhat aware that you could be targeted for negative criticism based on what you find. Of course, if this hypothetical community existed it should not allow that kind of abuse either. It should also regulate the feedback to keep it respectful and constructive to avoid adding fuel to the fire.

Even without this idea for a community, though, it’s important to point out flaws in projects when they exist because it’s to keep folks safe. We ought to be levelheaded about it, but we should still say it and receive the feedback well.

Of course, easier said than done, lol.