Password management company Dashlane has made its mobile app code available on GitHub for public perusal, a first step it says in a broader push to make its platform more transparent.
The Dashlane Android app code is available now alongside the iOS incarnation, though it also appears to include the codebase for its Apple Watch and Mac apps even though Dashlane hasn’t specifically announced that. The company said that it eventually plans to make the code for its web extension available on GitHub too.
Not open source
Initially, Dashlane had said that it was planning to make its codebase “fully open source,” but in response to a handful of questions posed by TechCrunch, it appears that won’t in fact be the case.
At first, the code will be open for auditing purposes only, but in the future it may start accepting contributions too — however, there is no suggestion that it will go all-in and allow the public to fork or otherwise re-use the code in their own applications.
“While we are not yet in a position to accept contributions to the code, in the future we aspire to make it so external contributors can suggest improvements directly in GitHub,” the company wrote in a blog post today. “But this also requires another level of internal organization. Eventually, we plan on allowing other developers to contribute actively, and participate in the development of Dashlane.”
Dashlane has released the code under a Creative Commons Attribution-NonCommercial 4.0 license, which technically means that users are allowed to copy, share, and build upon the codebase so long as it’s for non-commercial purposes. However, the company said that it has stripped out some key elements from its release, effectively hamstringing what third-party developers are able to do with the code.
“You won’t be able to build your very own Dashlane with this code — we’re sharing the recipe, but we had to leave out a few of the ingredients that make it our own,” the company wrote.
Curiously, while Creative Commons licenses are often applied to works such as music, photographs, and even databases, software is one category which it specifically recommends not using its license for. In a FAQ section on the Creative Commons website, the organization notes:
We recommend against using Creative Commons licenses for software. Instead, we strongly encourage you to use one of the very good software licenses which are already available. We recommend considering licenses listed as free by the Free Software Foundation and listed as “open source” by the Open Source Initiative.
Founded in 2009, Dashlane is one of a number of password-management service providers that allows users to generate and store robust and unique passwords for all their online services — after all, compromised passwords are responsible for the lion’s share of security breaches. While the New York-based company was originally all about the consumer market, it has been doubling down on its enterprise credentials since the launch of Dashlane Business back in 2016, bolstered somewhat by a $110 million round of funding led by Sequoia four years ago. And this hints at one of the main reasons the company is looking to open up its codebase just a little bit.
Indeed, today’s announcement comes a couple of months after its rival LastPass announced a data breach, with cybercriminals going on to steal some of its customers’ password vaults. While it’s not clear to what extent releasing its mobile app codebase would avert such a breach from happening to Dashlane, there’s significant merit in the old adage from the open source sphere that “there’s no security through obscurity” — and Dashlane clearly wants to earn some extra transparency points from its business customers.
Moreover, with rivals in the password management space such as Bitwarden — which recently raised $100 million in funding — flaunting their open credentials, this puts added pressure on the likes of Dashlane to adopt a similar transparent philosophy.
“The main benefit of making this code public is that anyone can audit the code and understand how we build the Dashlane mobile application,” the company wrote. “Customers and the curious can also explore the algorithms and logic behind password management software in general. In addition, business customers, or those who may be interested, can better meet compliance requirements by being able to review our code.”
On top of that, the company says that a benefit of releasing its code is to perhaps draw-in technical talent, who can inspect the code prior to an interview and perhaps share some ideas on how things could be improved. Moreover, so-called “white-hat hackers” will now be better equipped to earn bug bounties.
“Transparency and trust are part of our company values, and we strive to reflect those values in everything we do,” Dashlane continued. “We hope that being transparent about our code base will increase the trust customers have in our product.”