Why encrypted email service ProtonMail is open-sourcing its mobile apps

At a time when public trust in “big tech” is at an all-time low over countless data breaches and privacy scandals, even companies that specialize in online security are having to go the whole nine yards to convince people that they’re serious about privacy.

Encrypted email service ProtonMail this week announced that its iPhone app is now open source, with anyone able to peruse the code on GitHub. Why? Well, thousands of eyes are better than dozens of eyes in terms of spotting flaws in the source code. Moreover, full transparency fosters a higher degree of trust where trust is paramount.

“We believe in transparency, the power of community, and building a more private and secure future for all,” the company wrote in a blog post. “Open source provides transparency and accountability to the Proton community. Allowing people to see and review our code increases trust in both the security of the platform and our commitment to develop a more secure and private Internet.”


Switzerland-based Proton, the company behind ProtonMail, had previously announced plans to open-source its mobile apps, and in fact its web app has been open source since 2015. Its move to open-source its iPhone app followed the completion of a lengthy code audit carried out by a third-party called SEC Consult, which published its report this week alongside details of seven low-risk vulnerabilities. Most of these have now been addressed.

The reason why Proton prioritized iOS over Android was due to the fact that it had “received threat intelligence about a suspected Chinese malware targeting activists using iOS devices,” a spokesperson told VentureBeat. While there have been historical instances of activists and human rights defenders being targeted through iOS vulnerabilities by state-hackers, last month Amnesty announced that a Moroccan human rights lawyer was targeted with spyware from Israeli cyber intelligence firm NSO, which helps nations deploy mobile surveillance technology.

More broadly, countless reports have emerged of late around a flaw in WhatsApp that was used to spy on journalists, activists, and senior government officials. Like WhatsApp, ProtonMail’s core proposition is full encryption, which means nobody can intercept and read your messages in transit. Not even the company itself. But the reliability of the app’s code is integral to this privacy promise, which is why Proton is making its mobile apps open source — lives could literally depend on it.

“There has been a recent increase in state-sponsored malware attacking iOS, and in some cases specifically targeting ProtonMail users,” the company wrote. “At Proton, security is our overriding priority, particularly because of the many dissidents and activists who use our service.”

A spokesperson confirmed that the Android app is currently still being audited, and will join the iOS incarnation on GitHub in the future.

Source link