cross-posted from: https://fost.hu/post/226135

Let’s say, I create a bank with the caveat that all of my banking phone apps and webapps are FOSS (or if they depend on non-free components — banks probably do to communicate with each other —, then just OSS). Am I going to be behind the competition by doing this?

If the most secure crypto algorithms are the ones that are public, can we ensure the security of a bank’s apps by publicizing it?

Are they not doing this because they secretly collect a lot of data (on top of your payment history because of the centralized nature of card payments) through these apps?

EDIT: Clarifying question: Is there a technical reason they don’t publicize their code or is it just purely corporate greed and nothing else?

  • @[email protected]
    link
    fedilink
    201 year ago

    A couple of reasons:

    1. Who would contribute? Banks are highly regulated and sometimes deal with complex products that most Devs don’t have a background on. Even most Devs in banks rely on a team of business analysts, designers etc to shape the requirements. Add on top of that the general negative perception of banks, I can’t think of a large open-source community forming.
    2. Competition. Bank’s primarily compete with each other. They all offer very similar products, and any advantage they can gain by developing proprietary software will be explored.
    3. Third-party apps. Banks use a TON of third-party apps behind the scenes. A lot of times they will purchase licenses for existing products and then customise on top of that.
    4. Outsourcing. Even when they are building the app “in-house” they may have outsourced the development to another company, and will then just maintain the finished product.
    5. Banks move slooooowly. As it’s a highly regulated industry, every deployment needs to go through a ton of red-tape. An exploit found in public might take weeks to be resolved internally.
    6. Reward is not worth risk. It simply isn’t a priority and they can’t see any benefit for doing it. It’s more likely to cause a reputation risk than not.