[UncleMeat]

This "problem" has precisely nothing to do with open source vs closed source. "Tell me the list of activities that are public" and "tell me the name of each activity as I launch it" are babies-first-app-analysis level and work equally well on open and closed source apps.

Are we really concerned about an exploit that requires somebody to have unlocked access to your phone?

[david-cako]

I'm not saying that's the problem, I'm just suggesting that you have to have a lot of faith in a company to trust it with all of your passwords, especially when there's only a handful of eyes on its source code.

It's not for me, personally.

And yes, because the scariest aspect of password managers is the fact that you have basically shifted the responsibility of "I use the same password everywhere" to a different party.

[ufmace]

Given the recent number of cripplingly awful security bugs that have been found in open-source infrastructure projects (Shellshock, Heartbleed, etc) which have been in the wild for many years before being discovered, I'm rather less interested in arguments that open-source software is supposedly more secure than closed-source due to the number of eyes that are supposedly on it. When was the last time there were any security flaws of that magnitude in the Windows Server/IIS stack?

The reality seems more like that even if anybody can look at the code, auditing security code well is damn hard, very few people can do it well, and those people basically never audit open-source projects in their spare time. How secure something is depends more on how battle-tested it is, how good the people who wrote it are, and how well and often it's been tested for security flaws by experts.

[cannonedhamster]

Prove that open source has more eyes than closed source. You can't because in reality it's most likely not true for the vast majority of software. Most software requires an incentive to look over the code and the skill to do it. The incentive to do it for closed source is money, open source is warm fuzzies or personal interest. I really love open-source software but code review is clearly not a benefit for the vast majority of people.