Open Source in Android Apps:

Open Source in Android Apps:

Tips for Becoming a Good Open Source Citizen”

AnDevCon

Copyright OpenLogic 2006

What You’ll Learn

!   How much open source is used in mobile apps?

!   What level of compliance with open source licenses? !   Why should I be concerned?

!   What should I do about it?

About OpenLogic

OpenLogic helps enterprises to

successfully and safely

acquire, deploy, support and control

all of the free and open source software they use.

!   Scanning Tools

!   Open Source Audits !   Open Source Support

Copyright OpenLogic 2006

Mobile Apps Depend on Open Source

4

Source: OpenLogic Mobile Research 9/2010

Open Source is Used in

88% of Android Apps &

41% of iOS Apps

Mobile Apps Depend on Open Source

jquery

cocos2d

JSON

MWFeedParser

Selenium

YUI

SQLite

Boost

OpenSSL

Mobile Apps

Open Source

PhoneGap

Rhodes

6

Compliance Concern

Mobile Apps

Aren’t Consistently

Complying with

Open Source

Licenses

Copyright OpenLogic 2006

Research Methodology

!   Scanned 635 Top Apps with OSS Deep Discovery

!  123 Android Apps !  512 iOS Apps

!   Picked top paid and free apps across categories !   Identified 68 Apps with GPL, LGPL or Apache

!  52 with Apache !  16 with GPL/LGPL

!   Examined those apps for compliance with key

obligations

Four Areas of Compliance Analyzed

Apache GPL/LGPL

Provide copy of license Notices/Attributions

Provide copy of license Provide source code

Copyright OpenLogic 2006

Failure to Comply

71% of Apps using

Open Source

under GPL, LGPL

and Apache

do not comply

Compliance by Platform

71% of Apps using

Open Source

under GPL, LGPL

and Apache

do not comply

Android

iOS

12

REALLY?

Three Reasons to Comply

1. 

It’s the right thing to do

2. 

Protect your IP

Copyright OpenLogic 2006

It’s The Right Thing to Do

Free software…

but please

comply

Protect your IP

Copyleft open source

licenses can impact

licensing of your IP

©©©

©©©

©©©

Copyright OpenLogic 2006

Protect your IP

Derivative work?

Depends on the license and how you combine the code

Money in Your Pocket

Non-compliance can

result in:

Takedowns

Injunctions

Lawsuits

Legal costs

Copyright OpenLogic 2006

Takedown Requests to Android Market

18

Source: Chilling Effects Clearinghouse, Takedown Complaints for Android Market

Takedowns: Open Source Copyright Violation

Example of complaint to Google re GPL

violation.

Copyright OpenLogic 2006

More Than A Theoretical Risk: Legal Action

20

Free Software Foundation has been active in GPL enforcement.

Source: Ars Technica

Source: cnet

More Than A Theoretical Risk: Bad PR?

Source: Network World

Source: Matthew Garrett http://www.codon.org.uk/~mjg59/android_tablets/

22

OK, OK

How to Become A Good Open Source Citizen

2.  Create an open source policy 3.  Track all open source usage

4.  Conduct a scan or audit of your code 5.  Develop a compliance checklist

Copyright OpenLogic 2006 24

1. Understand OSS Licensing

!   Official definition of OSS license

!  Approved by the Open Source Initiative (OSI)

! http://www.opensource.org/

!  Currently over 60 approved licenses !  Key Criteria

!  Free distribution

!  Source code is available !  Derived works are allowed !  Non-discrimination

Categorizing Open Source Licenses

Liberal

Copyleft

Copyright OpenLogic 2006 26

Dependency Issues Impact Licensing

!   OSS often depends on or bundles other OSS

!   Need to look at all the dependencies and bundled

projects and their licenses

!  Important: The licenses may not be the same!

!   Example:

!  Geronimo (Apache license) uses MySQL (GPL) through the

2. Create an Open Source Policy

!   Things to include

!  Licenses allowed !  Approval processes

!  Audit and compliance processes

!   Considerations

!  Keep it lightweight

Copyright OpenLogic 2006 28

3. Track all Open Source Usage: Why?

!   Know what you are using

!   Best practices for software asset management

!   Identify opportunities for sharing or savings

!   Find out what open source is being used so you can leverage expertise, support,

etc. across teams

!   Legal & compliance

!   Validate that you are complying with licenses

!   Be able to determine impact of license changes

!   Provide an audit trail for regulatory compliance

!   Assess impact of lawsuit or IP infringement

!   Maintenance

!   Be prepared to handle security patches or critical issues

!   Able to plan for maintenance updates

!   Support

!   Understand level of support necessary

3. Track all Open Source Usage: What?

!   What open source packages are used !   What versions are used

!   The exact source/object code !   Where you got it from (source) !   What license it s under

!   What applications it s used in !   What machines they are used on

!   What operating system they are used with

!   Whether the project is internal, external or for distribution !   When distributed and to whom

!   Approval trail – who approved, when approved, for what

Copyright OpenLogic 2006

4. Conduct a scan or audit of your code

!   Outcome of an OSS audit:

!  List of open source packages !  List of open source licenses !  List of license obligations

!  List of licenses that may have conflicting terms

!   Options

!  Scanning tools !  Manual review !  Audit services

5. Develop a compliance checklist

!   Create a compliance checklist:

!  Notices in code and/or documentation !  Source code provided in proper way !  Is there an EULA for your product?

!   If there are conflicts or compliance is not possible:

!  Can you live without this code? !  Is there an alternative to the code?

!  Can you contact the author and ask for an exception/different

license?

!   Risk management:

!  What is likely to get litigated?

Copyright OpenLogic 2006

Thanks!

!   To receive details of research

! [email protected]

!   Follow

!  @openlogic

!  @KimAtOpenLogic