Source-Available vs Open Source for Health Apps (Why It Matters)
When choosing a health app, you might see terms like "open source" or "source-available" thrown around. Understanding what these mean, and what they don't guarantee, can help you make better decisions about your sensitive health data.
Plain-English definitions
Open source typically means software released under a license that allows anyone to view, modify, and distribute the code. Common licenses include MIT, GPL, and Apache. The key idea is that the code is freely available and can be used by others, sometimes with specific requirements about how derivatives must be licensed.
Source-available means the source code is publicly visible, but the licensing terms may be more restrictive. You can read and review the code, but you might not have the same rights to modify or redistribute it. Some source-available projects allow contributions, while others are read-only.
NoBullFit is a source-available health app: our code is public on GitHub, so you can see exactly how we handle your data. You can review it and report issues, but the codebase is read-only and remains under our control.
What transparency helps with (and what it doesn't guarantee)
Being able to review source code gives you several advantages:
- Verification: You can see how data is collected, stored, and transmitted. Independent developers can audit the code for security issues or privacy concerns.
- Understanding: You know what the app actually does, not just what marketing claims. If you're technical, you can verify that features work as advertised.
- Accountability: Public code makes it harder to hide problematic practices. If something changes in a way that concerns users, it's visible in the commit history.
- Community input: Developers and privacy advocates can suggest improvements, report bugs, or flag potential issues.
However, transparency doesn't automatically guarantee:
- Perfect security: Just because code is visible doesn't mean it's secure. Vulnerabilities can exist even in well-reviewed codebases.
- Privacy protection: The code might be transparent, but you still need to trust that the deployed version matches what's in the repository. Regular audits help, but they're not foolproof.
- Data handling: You can see how data flows through the code, but you can't always verify what happens on the server side without additional transparency measures.
- Long-term commitment: A project can change its approach, licensing, or even go closed-source later. Transparency is a snapshot in time, not a permanent guarantee.
The value comes from combining code transparency with other practices: clear privacy policies, data export options, and a track record of respecting user privacy.
Why it matters for sensitive health data
Health apps handle some of your most personal information: what you eat, how much you weigh, your activity levels, and sometimes medical conditions. This data is valuable to advertisers, insurers, and data brokers, which is why many health apps monetize through data selling or targeted advertising.
When a source-available health app makes its code public, you can verify:
- Whether data is encrypted in transit and at rest
- What information is actually sent to external services
- If there are any hidden tracking mechanisms or analytics
- How authentication and authorization work
- Whether data export and deletion features work as claimed
This doesn't mean you should blindly trust any source-available app. But it does mean you have a way to verify claims, and the community can help identify issues. For health data especially, this verification layer adds meaningful protection.
That said, remember that code transparency is one piece of the puzzle. You also want to see a clear privacy policy, a commitment to not selling data, and evidence that the team takes security seriously.
How to review the code
If you're interested in reviewing NoBullFit's code, here's how to get started:
- Browse the repository: Start with the README to understand the project structure and setup instructions.
- Check key areas: Look at authentication code, database schemas, API endpoints, and any data processing logic. These areas show how your information is handled.
- Review recent changes: Check the commit history to see what's been updated recently and how the project evolves.
- Report issues: If you find bugs, security concerns, or privacy issues, email us at [email protected]. Clear, detailed reports help us address problems quickly.
You don't need to be an expert developer to benefit from source-available code. Even basic familiarity with code structure can help you understand what an app does, and you can always ask questions or request clarification by emailing us at [email protected].
Where to find the repository
NoBullFit's code is available on GitHub. You can browse the repository, review the codebase, and report issues.
The repository includes the full application code, database schema, API endpoints, and documentation. Everything is there for you to review and understand how your data is handled.