As there aren't any alternative FOSS apps, the customer cannot use these banking applications as intended.
I was therefore wondering, what would be the implications for an average, mid-sized bank, to go completely open source? How feasible is it building such an app/transaction system especially regarding privacy and security measures (required by law)? And lastly, what organizational changes within the bank would be needed to make an open source friendly banking system possible?
This is hypothetical and solely out of curiosity. I am looking forward to the discussion. Thank you very much!
- catching up on 0days: as organizations grow in headcount, their internal review and release processes naturally becomes slower; inversely relative to the amount of programming languages, frameworks, tools they involve in their toolkit which grows overtime. put out everything publicly now everything is a possible attack surface.
- incentives on finding vulnerabilities: should you get $1k to 100k on bug bounty, or should you steal $1m to $10m when you can?
- complexity on international scale: consider large fraudulent transactions through banks A, B, C where each bank is headquartered in different countries. will those banks comply / cooperate? up to how much is insured? how long until users get their money back? up to what point will law enforcement agencies can be involved?
With closed source apps — as soon as you write for the JVM or in JS (i.e. Android and Web), you’re exposing the inner workings of your app… more or less. With C/C++ and similar stacks (read: Desktop or iOS or native parts of Android), one could argue that you expose less. But still, all code on clients is exposed, theoretically, so either way I don’t believe that open code itself would be much more problematic than what code is today in closed source apps. We did a bunch of things that are considered safety measures, and those could be coded into an OSS app as well.
But then, there is network encryption, potential implementations of cert pinning, integrations with other services/tools, secret keys, local storage, databases, and many other things that might be hard to lock down completely or even audit for security risks… this was the really tough part I believed. But maybe it’s just my knowledge gap, that’s fair as well.
In the end, my thinking was “omg I’d miss something for sure, and it would be easy for hackers to kill the project and steal everything”… and therefore OSS is not the way to go. I’m more confident nowadays. But then again, cryptocurrencies are open for the most part… so that’s an interesting counter-argument I guess. (:
I wonder what others think. I also wonder if there are open tools or checklists for security audits…
Why not just use a banking web site, which already exists In most cases?
The only real "service" that most banking apps offer that isn't available on a web site is photo deposit of paper checks. Paper checks are kinda last century and are rapidly declining anyway. Oh and privacy invasion --- an app makes it so much easier.