A couple of days ago, users were surprised when none other than encrypted email service ProtonMail announced it was putting up its iOS app code on GitHub.
Here’s ProtonMail’s explanation:
Why open source?
Proton, security is our overriding priority, particularly because of the many dissidents and activists who use our service. Our emphasis on security extends to all areas of our work, from our use of end-to-end encryption, to the way we engineer our applications. As part of our commitment to security, we are putting all of our software through rigorous, independent third-party audits.
Already there are third-party audits for OpenPGPjs and GopenPGP, our open source cryptographic libraries. Earlier this year, we engaged the renowned security firm SEC Consult to conduct an independent audit of ProtonMail’s iOS application. We are now making our iOS app open source now that it has been independently vetted. For more information, read the full iOS app audit report.
Open source provides transparency and accountability to the Proton community. Allowing people to see and review our code increases trust in both the security of the platform and our commitment to develop a more secure and private Internet. By making our code available to the world, and with the help of our bug bounty program, we can leverage the global Proton community to make our software as secure as possible.
Open source at ProtonMail
We strongly believe in open source, and we are committed to open sourcing all of our client software. In pursuit of this goal, independent third-party audits of all our other clients are underway, and we look forward to open sourcing even more of our code.
In addition to making our iOS app open source, we have also documented and published our iOS security model. This is important to us because raw code without documentation can be almost unintelligible sometimes, and a documented security model will assist in rigorous assessment and review of our code by the public. Our iOS trust model is also available on our Github page.
There has been a recent increase in state-sponsored malware attacking iOS, and in some cases specifically targeting ProtonMail users. Our iOS security model also highlights exactly what we are doing to give Proton users a higher level of security compared to typical apps. In particular, we have implemented safeguards which allowed the ProtonMail iOS app to protect against a recent malware targeting Tibetans and Uyghurs (see our security advisory).
Making our code freely accessible to the developer community also encourages innovation in the field of privacy tech. Developers are free to implement and build upon the methods that we have documented and published. We believe that when developers work together to solve real-world privacy challenges, everyone benefits, and we hope that the publication of our code will result in safer and more robust iOS apps.
