Security of close source mobile apps

Mobile apps are closed source. I understand that developers have to have a viable business and that makes sense.

I hear that encryption code is still open source. Does it mean that the GUI and encryption code are entirely separate units?

Can the public check that the app (not the underlying crypto library) encrypts the files correctly and handles the key material properly?

I know the encryption library is open source. But can we verify:

— how this library is used in the mobile app?

— how the app handles encryption key?

— how the app handles user password?

The request is to provide a mechanism such that the security part is open source and verifiable but the GUI and other parts are proprietary and closed source.

There has to be a way for users to see that Cryptomator does not claim end to end encryption similar to claims made by Zoom that turned out to be false.

I guess you can’t. That’s why we’re going to open-source the mobile apps soon.


This is good news and big plus for Cryptomator!

Happy to pay for your open source secure products!

1 Like