I have been reviewing the Windows version of Cryptomator for a couple of weeks and am very impressed with what I have seen. I subsequently purchased the Android version.
Apart from its functionality, the fact that it is open source was a major determinant in my decision making. However, being open source is only useful if numerous and competent people, unconnected with Cryptomator, review the code regularly.
How do I, a non-techy person, know with 100% confidence that the code has been reviewed RECENTLY AND REGULARLY by experts independent of Cryptomator and has been found to be safe? Would someone please be able to explain and reassure?
There isn’t a formal process here. The more attention an open-source project gets, the higher a chance of independent reviews. In my opinion, there is never a 100% confidence, not in any project in this world. You’ve probably seen the independent security audits. But beyond that, the software is continuously and publicly tested in an automated way and has a measurable code quality and test coverage.
Thanks for the reply and, for the avoidance of doubt, I really like Cryptomator and wish you guys well. You mention in your reply that the software is “continuously and publicly tested in an automated way and has a measurable code quality and test coverage”. What do you mean by “measurable”? Where is it publicly measured and what do these metrics say/mean?
E.g., in the cryptographic libraries, we aim for a very high test coverage, which you can see in the badges at the top (that’s why “publicly”):
At the moment, we use Codacy, a static analysis tool, to determine these numbers. We also use the service Snyk, which is focused on security vulnerabilities.
But of course, these are mere tools/services that produce metrics. They still don’t guarantee anything. We can only strive for the highest quality that we’re capable of as experienced software engineers and use tools to support our endeavor.
Every now and then we’re approached by companies that sponsor an independent review or certification that we will then gladly publish or link to.
Besides code, we’re also making sure that the overall security architecture can be easily understood by third parties through our documentation: https://docs.cryptomator.org/en/latest/security/architecture/