Android source code

[hadim]

Is the Android client open source?

[TRtomasz]

Hi, Android Client is no an open source application

[hadim]

So how do we know you don't put spyware or worse in it?

[TRtomasz]

You can scan your phone with one of the existing antiviruses. Also our app is available via Play store which uses google Play Protect system https://www.android.com/play-protect/

[hadim]

Fair enough I guess...

Thanks for the answer anyway.

[Handrail9]

You can scan your phone with one of the existing antiviruses. Also our app is available via Play store which uses google Play Protect system https://www.android.com/play-protect/

I am not sure if this is still the current stance, but with recent events such as the XZ Utils backdoor I don't see why I should just trust that an antivirus would be able to detect any kind of backdoor/spyware/malware that hasn't already been exposed to the public. Antiviruses work by scanning for known hashes. They aren't magic. I think it would be in the best interest of your users to either make the statement on your homepage clearer, or to make your Android application at the very least source-available if open source is for some reason not an option. It feels extremely dishonest to have the statement that "Stremio is open-sorce and safe" on your front page when the only open source components are ones that end users can't realistically build and use for themselves (The GUI frontends that make the magic happen on each OS.)

I would really love to use Stremio and feel safe using it, but as far as I can tell there's not currently a way to do that. I was going to say I would consider donating to the project as well, but as far as I can tell there isn't any way to donate. I don't see anything on the website, and when searching on the internet all I can find is a Reddit post from 2016 stating that they may or may not happen. Which, if you aren't getting donations, how is Stremio hiring developers and making money? It all just seems very sketchy to me.

[jaruba]

@Handrail9 i'm sorry but ur comment makes little sense, you don't trust AVs because of zero-day exploits? when they do randomly become public an app using it would be banned from the Play Store immediately, while Stremio is an (almost) 10 year old project without any incidents

the reason the android source is not open is specifically because of malicious actors that would make Stremio clones appear like mushrooms in the Play Store, people that don't care about licenses and will splatter the apps with abusive ads, even with the source closed we regularly report apps on the Play Store that infringe our brand

you want to know how Stremio makes money? it doesn't

[Handrail9]

Okay, let's break this down bit by bit here.

you don't trust AVs because of zero-day exploits?

I do not trust an anti-virus to be able to detect an unknown malware that's correct.

an app using it would be banned from the Play Store immediately

I really should not have to explain this one. Google Play has never been a bastion of security. Malware and spyware is uploaded extremely frequently, and what goes under the radar doesn't get taken down. https://usa.kaspersky.com/blog/malware-in-google-play-2023/29356/

Stremio is an (almost) 10 year old project without any incidents

Stremio Android is a closed source product with no currently known backdoors. There's no source code for me to audit, when your website implies i should be able to :)

malicious actors that would make Stremio clones appear like mushrooms in the Play Store

even with the source closed we regularly report apps on the Play Store that infringe our brand

You contradicted yourself. "The source is closed source because what if we have people steal our app" but also "people are ALREADY stealing our app". The argument can be made that there will be more people doing it, but genuinely if people are already doing it, will that number even go up a tenth of a percent? What about the Kodi project? They don't seem to let this stop their project.

Another comment on this point, if the issue is that people would reupload the app, why was the reason given in this Reddit post that the app has some sort of agreement with a third party? Has this changed in the past 4 years? Why weren't your users notified?

you want to know how Stremio makes money? it doesn't

Why? You could very easily open a donations page, start a patreon, a Kofi, LiberaPay, accept Crypto. This point is not one that I care too much about as it really has no affect to the end user whether or not they can choose to support the project. I personally wouldn't want to support a project that is falsely advertising that I can audit the code when I clearly can not. You made no comment on this. This what my main point, why is it advertised as an "open source" media center when the part that matters, the part that runs on the end users device, is NOT open source?

[jaruba]

i did not contradict myself at all, the current disputes are for trademark infringement, this means that there are malicious actors that keep saying "we are Stremio" and infringing on the brand, not re-releasing the same app code

given that Stremio has no profits our resources are low and our team is small, we realistically barely have the resources to fight the current situation of people trying to sell accounts, devices, pretend they are Stremio, etc on a regular basis

i am unaware of any deal made, i gave my reasoning for why the Android UI is closed source since i became the dev lead at this project, i will research any obligations that may be related to this to better inform myself

Stremio currently has 95 repositories that are open source on GitHub, the range of what is open source is large, the web app is open source and we are working on making it the UI for the Desktop app (this has been a long transition, but we are close to a release), thus stremio-shell and stremio-web will form the Desktop app, there is also stremio-core which includes the logic shared by all Stremio apps, so you specifically want the Android UI to be open source (as the Stremio related logic of all apps is in stremio-core already), as well as many many other open source projects available

does it make more sense to call it closed source when the minority of the project is closed source? we strive for open source and make everything related to building ur own Stremio open source, from all needed shared app logic to the web app UI as an example (which is why there are currently tens of apps and projects with Stremio Addons support)

this is not a debate of if it should be trusted, the app is safe and there are millions of users that have been using it for many years and can all agree on that

you want to be sure of it? and u think that if the Android UI was open source you would be able to be sure of it? i'm sorry to disappoint but i don't believe anything can offer 100% certainty in life except death and taxes

i've been doing this for long enough to know when to smell an endless debate if it starts, ur on a trip where u will keep pushing until something changes to fit ur personal vision, while i am not someone that stands for bullying, so if this continues to progress in this direction then i'm sorry to say that the conversation ends here for me

[Handrail9]

Since youre giving non-answers about why the closed-source modules are being marketed as open source, disregarded my questioning about being able to grow the project through donations, and are name calling over pointing out genuine flaws in the project, I guess the conversation is done.