Let's see how we can help you!
Leave a message and our dedicated advisor will contact you.
Send us a message
0/10000
mObywatel and Facade Transparency
Published: 17:43 12/31/2025
Cyberbezpieczeństwo
Imagine buying a car. The manufacturer promises full transparency and lets you look under the hood. You pop the latch, lift it up, and find… a photo of an engine printed on cardboard. That is roughly how the IT community in Poland feels following the events of December 29, 2025.
After years of announcements and legislative tussles, the Ministry of Digital Affairs finally did it: they published the source code for mObywatel (mCitizen). It is the flagship product of the digital state, used by nearly 11 million Poles. Theoretically, we should be popping champagne corks. Practically, we are opening debuggers and rubbing our eyes in disbelief.
What happened in the final days of the year is a fascinating case study of the collision between modern societal expectations and a military doctrine of "security through obscurity." Let’s take a look at what we actually saw (and what we didn't see) in the mObywatel code.
Malicious Compliance: GitHub vs. The Bulletin Board
The first thing that strikes you is the format of the release. In the world of software engineering, the standard is a repository (like GitHub) where you can see the history of changes, authors, and project structure. What did the Polish government do? They published static HTML files on the Public Information Bulletin (BIP) website.
This is a classic example of "malicious compliance." Officials met the statutory requirement ("the code was published"), but they did it in a way that makes analyzing it as difficult as possible.
The cherry on top was security measures straight out of the 90s: scripts blocking the right mouse click and text selection. In a world where mObywatel is supposed to be proof of the state's modernity, using scripts that any junior developer can bypass in 30 seconds borders on self-parody. The community reacted instantly—tools "cleaning" the code of government "security measures" appeared online, and repositories with telling names (like mobywatel-shitcode) began to take on a life of their own.
Show Me Your ID, and I’ll Let You Check for Bugs
This is perhaps the most disturbing and counterintuitive aspect of the affair. To even see the released code of mObywatel, you must log in using a Trusted Profile (Profil Zaufany).
The state is creating a registry of people interested in analyzing government code. In the view of the security services (CSIRT MON), anyone analyzing the code is a potential threat.
This is a complete negation of the Open Source idea. The security of open software relies on an anonymous crowd of experts (so-called white hats) looking for holes to patch them. By forcing users to log in with their full name (and national ID number/PESEL), the state creates a chilling effect. An honest researcher will think twice about whether they want to end up on a list of "curious citizens." A criminal? They will just use a stolen account and check the code without hurdles.
A Facade Without a Foundation
Once we get past the login screen and the blockers, it turns out the "emperor has no clothes." The released code is 75% Kotlin (Android) and 24% Swift (iOS), but it covers almost exclusively the visual layer. We see colors, icons, and button layouts.
What’s missing? Everything that matters. There is no business logic, no server communication mechanisms, no backend. We are unable to verify if the mObywatel app isn’t sending our location data or activity history out through a "backdoor."
Experts compare this to showing the paint on a building's facade, while citizens wanted to check the solidity of the foundation. Without insight into how the app processes data and communicates with state databases, the security audit is fiction. We received "facade transparency."
The Licensing Paradox
The legal situation of the mObywatel code is material ready for a doctorate in absurdity. On one hand, the code was released under the MIT license—one of the most liberal in the world, allowing for copying, modification, and distribution. On the other hand, technical copy-blocks were applied, and access was restricted only to Polish citizens.
The moment the first user (lawfully and in accordance with the MIT license) uploaded the code to GitHub, all of CSIRT MON's security measures became moot. The attempt to lock open code inside a cage of national regulations shows just how poorly decision-makers understand the nature of the digital world.
A Lesson from Ukraine
For contrast, it is worth looking east. The Ukrainian app Diia, often cited as the model for mObywatel, has its code on GitHub. It is open to the world, and the government in Kyiv encourages the submission of fixes. They understood that trust is built through collaboration, not by building digital fortresses.
What Next?
The December release is sad proof that the doctrine of fear still wins out in the Polish administration. Instead of leveraging the potential of thousands of Polish programmers for a free audit to improve the security of the national app, they were treated like potential enemies.
mObywatel has de facto become our identity document. As we head into 2026, can we trust a state that demands "digital exhibitionism" from us while keeping itself hidden behind a screen of bureaucracy and technical incompetence?
Aleksander
About the Author
Aleksander Zębrowski
Chief Technology Officer at SecurHub.pl
PhD candidate in neuroscience. Psychologist and IT expert specializing in cybersecurity.
Related Articles
Cyberbezpieczeństwo
One Address to Rule (Cyber)Security. What You Should Know About the New cyber.gov.pl Portal
Polish cyber defense is a system with two faces. On one side, there is the new cyber.gov.pl website, and on the other – the official acknowledgment of possessing offensive cyber weapons. We explore how this duality works.
12:21 13.12.2025
11 min
Cyberbezpieczeństwo
WormGPT and KawaiiGPT: 5 Facts About the Dark Side of AI You Need to Know
Artificial intelligence is not just about medicine and productivity. It also involves specialized, malicious LLMs that democratize cybercrime and create perfect scams.
20:21 22.12.2025
9 min
Cyberbezpieczeństwo
6 Surprising Truths About Industrial Cybersecurity You Need to Know
The reality of Industry 4.0 marks the end of factory isolation. Discover how the IEC 62443 standard turns traditional thinking about critical infrastructure protection upside down.
18:21 22.12.2025
10 min
Comments
Loading comments...