Open-source software is software with source code that anyone can inspect, propose changes to, and enhance. There are positive and negative aspects to open-source software.
Some people prefer open-source software because it allows them to audit the source code for security and stability. They believe that because anyone can view and modify the code, someone might spot and correct errors or omissions that a program's original authors might have missed, so it can be more secure.
Is open source always good?
The downside of open-source software is that it could allow others to create a malicious duplicate of an application more easily, starting from the same source code. Open-source software can also cause compatibility issues.
While there are benefits to being open source, it's not a perfect solution to security issues. In fact, it can bring additional challenges that need to be managed or mitigated.
Is the Casa app open source?
The Casa app is not an open-source mobile application, though this may change in the future. We believe this is best for the security of our customers. This does not mean you have to trust Casa during normal use of the app (see information on "watch-only wallets" below).
When it comes to open vs. closed source for the Casa app, there are two primary questions:
- Are there flaws in the software that could be exploited by internal or external attackers to steal funds?
- Are there flaws in the software that could be exploited by internal or external attackers to trick you into sending funds to them?
Even if the Casa app were open source, it would not provide any guarantees that the wallet could not be exploited by external or internal attackers to steal funds. Casa's security infrastructure is architected not to rely on our software or systems for the security of funds. Rather, it's built upon a foundation of securing keys with specialized hardware and software from entities other than Casa.
Casa does contract with independent auditors to review our code on a regular basis.
Casa can't steal your funds because we only ever have one of the keys to your vault. Even a malicious Casa app would not be able to use your keys without your explicit approval. To be precise, humans have to verify and approve the details of transactions on multiple devices that Casa has no control over. The biggest vulnerability is being tricked into sending funds to an address that is controlled by an attacker.
The Casa app has been built to distrust the receive address information given to it by the server; there are cryptographic verifications performed by the app against the extended public key data it receives, and the client independently derives addresses in the app.
Nevertheless, for the sake of considering your whole security situation, you could imagine that somehow the mobile app, servers, and databases have all been compromised by an internal attacker. In this case, the final failsafe is independent verification. Independently verifying a deposit address, as you can do with the Casa app, is far superior to having an open-source app. This is because actually verifying an open-source app yourself is very difficult for Android and even more difficult for iOS.
How can I use the Casa app without needing to trust Casa?
You always have the ability to monitor your balances and transactions independently from the Casa app using "watch-only wallets." Watch-only wallets give you the ability to use 3rd party software over which Casa has no control to verify transactions independently.
How does a watch-only wallet give you this assurance? Due to the way that multisig addresses are generated, they are created from a hash of the entire redeem script. The redeem script includes all of the public keys and the requirements for how many signatures from that set of public keys are required. Changing a single byte of that redeem script completely changes the hash and therefore the address. If malicious Casa software displayed an address to you that changed anything about the spending requirements for those funds, it would not match the address derived by the watch-only wallet.
For a more detailed explanation of watch-only wallets and how to set one up check out Creating watch-only wallets.
Don't trust. Verify!