[the_duke]

That's the old open source argument.

And while many things could most certainly be discovered by extensive, costly audits, that someone has to pay for...

OS code bases are huge.

How difficult would it be to hide functionality like this in some obscure code that's camouflaged as something else?

How hard would it be to automatically install an app that does this after first boot, disguised as some self updating or analytics feature?

Not very, I think.

If someone puts an Android fork online, who has the time to go through the changes to discover something like this?

Also, such features could even easily be placed on a tiny, dedicated chip inside the phone, completely apart from the OS.

If you don't build the hardware yourself, component by component (assuming that the components themselves are trustworthy), and audit every single LOC in the OS, something can always slip by.

[dandelion_lover]

The source code is not the only condition for security. However it drastically decreases the threshold for the audits. People can even make a crowdfunding campaign and pay to professionals like it was done with TrueCrypt.

But even without such a campaign, evil developers would be in a constant danger that someone may discover a backdoor. It is a very unstable situation: just one person is enough to make a lot of noise, and everyone could be this person. And yes, people do read the sources:

https://www.fsf.org/blogs/community/who-actually-reads-the-c...

It's all about defense in depth:

https://en.wikipedia.org/wiki/Defense_in_depth_%28computing%...

[mikegerwitz]

> That's the old open source argument.

Indeed, so it's unfortunate that it doesn't get more discussion in situations such as these.

> How difficult would it be to hide functionality like this in some obscure code that's camouflaged as something else?

More difficult than it would be with proprietary software, where anyone at any time can add malicious code that may never even be discovered over the lifetime of the device.

Free software doesn't prevent malicious actors from contributing malicious code, but it certainly improves chances. It also makes such a move very risky. Just as laws are a deterrent for many crimes, so is public scrutiny.

> How hard would it be to automatically install an app that does this after first boot, disguised as some self updating or analytics feature?

In a fully free OS, this app would have been built from source. So the same arguments apply.

> If someone puts an Android fork online, who has the time to go through the changes to discover something like this?

Again, it improves changes. Here's a good example from Replicant:

http://redmine.replicant.us/projects/replicant/wiki/SamsungG...

> Also, such features could even easily be placed on a tiny, dedicated chip inside the phone, completely apart from the OS.

Sure, but that's not an excuse to throw our hands up and not worry about the security of the software running on it. The OS might even be able to itself mitigate certain things (e.g. the Samsung backdoor mentioned above).

This issue also exists on PCs:

https://libreboot.org/faq/#intelme

[rectang]

The promise of reproducible builds divides-and-conquers the system, allowing us to validate individual components. From there, we need to be concerned about how well the source code for each component is managed.

Projects have the option to only accept contributions from known entities. If your identity is public knowledge, trying to sneak a backdoor into version control is high-risk.

Openness is viable stratagem for hardening and reducing the attack surface. It does not have to be perfect to make meaningful improvements towards a layered defense.