Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy Security Software

Dashlane Publishes Its Source Code To GitHub In Transparency Push (techcrunch.com) 8

Password management company Dashlane has made its mobile app code available on GitHub for public perusal, a first step it says in a broader push to make its platform more transparent. TechCrunch reports: The Dashlane Android app code is available now alongside the iOS incarnation, though it also appears to include the codebase for its Apple Watch and Mac apps even though Dashlane hasn't specifically announced that. The company said that it eventually plans to make the code for its web extension available on GitHub too. Initially, Dashlane said that it was planning to make its codebase "fully open source," but in response to a handful of questions posed by TechCrunch, it appears that won't in fact be the case.

At first, the code will be open for auditing purposes only, but in the future it may start accepting contributions too --" however, there is no suggestion that it will go all-in and allow the public to fork or otherwise re-use the code in their own applications. Dashlane has released the code under a Creative Commons Attribution-NonCommercial 4.0 license, which technically means that users are allowed to copy, share and build upon the codebase so long as it's for non-commercial purposes. However, the company said that it has stripped out some key elements from its release, effectively hamstringing what third-party developers are able to do with the code. [...]

"The main benefit of making this code public is that anyone can audit the code and understand how we build the Dashlane mobile application," the company wrote. "Customers and the curious can also explore the algorithms and logic behind password management software in general. In addition, business customers, or those who may be interested, can better meet compliance requirements by being able to review our code." On top of that, the company says that a benefit of releasing its code is to perhaps draw-in technical talent, who can inspect the code prior to an interview and perhaps share some ideas on how things could be improved. Moreover, so-called "white-hat hackers" will now be better equipped to earn bug bounties. "Transparency and trust are part of our company values, and we strive to reflect those values in everything we do," Dashlane continued. "We hope that being transparent about our code base will increase the trust customers have in our product."

This discussion has been archived. No new comments can be posted.

Dashlane Publishes Its Source Code To GitHub In Transparency Push

Comments Filter:
  • by bubblyceiling ( 7940768 ) on Friday February 03, 2023 @08:47PM (#63264089)
    Good to see. Hope others follow suit
  • Dashlane needs to consider the option of having a secondary, randomly generated key, similar to 1Password and Codebook. This would be used to set up a device, and the user would be expected to save it aside and store it securely. This way, all password data sitting on their backend storage would be infeasible to brute force, unless the attacker could access the endpoint and get the secondary key.

    Doing this would ensure that anything stored this way will be sure. This, and encrypting EVERYTHING in the dat

  • Too late, I already ditched them due to their obscene pricing (which jumped +50% a few years back). They've ignored please for years for a cheaper tier without all the BS that puts them more in-line with their competition.

    Switched to Bitwarden and haven't looked back. Actually found many ways I like how Bitwarden works better.

  • Am I crazy? I don't see any way to build the source code. There's no .xcodeproj folder with associated files.

    In every iOS project, at the root, there's the .xcodeproj folder and inside there's the project.pbxproj. Which basically is the Makefile of Swift code. It's not there.

    This code is just a dump to peruse. Not to actually build the app.

    • This code is just a dump to peruse. Not to actually build the app.

      They made this clear when they said that they had "stripped out some key elements". If you cannot build the product from the source, you cannot verify that the product they ship corresponds to the source, and therefore auditing the product is impossible. If they actually wish to be transparent, they will have to disclose all of the source and the procedure for building the product from it.

  • For some reason they don't give you any real links, so here they are:

    Android version (Java): https://github.com/Dashlane/an... [github.com]
    iOS version (Swift): https://github.com/Dashlane/ap... [github.com]
    CLI version (Javascript): https://github.com/Dashlane/da... [github.com]

    I'm not sure what would compel someone to write a CLI program in Javascript but they did.

    I would recommend using KeePass (specifically KeePassXC [keepassxc.org] or one of the many other client ports [keepass.info]) instead of this.

The truth of a proposition has nothing to do with its credibility. And vice versa.

Working...