From the fragments of mObywatel's source code published by the Ministry of Digitization (MC), we will not learn whether the application does not have, for example, a tracking function, or the ministry did not behave transparently – cybersecurity experts Adam Haertle, Tomasz Zieliński, Beata Zalewa and Łukasz Olejnik said for PAP.
On December 29, 2025, the Ministry of Digital Affairs announced that it had made available the “source code of the mObywatel application”. Fragments of the code were included in the MC public information bulletin. To see them, you first had to confirm your identity, among others. via Zaufany Profile, mObywatel application or electronic banking.
The ministry was obliged to publish the source code by the Act on the mObywatel application of 2023. The publication was consistent with the expert opinions on this matter presented by the key institutions of the national cybersecurity system: CSIRT GOV, CSIRT MON and CSIRT NASK.
Facade publication: Only appearance, no function
“The Ministry of Digitization has published only a few percent of the source code of the mObywatel application, selecting the elements responsible for the appearance of the application,” said Adam Haertle, founder of the expert cybersecurity portal Zaufana Trzecia Strona, to PAP. The ministry has published the appearance of buttons, text fields and other visual elements – explained Łukasz Olejnik, an independent consultant and researcher from the Department of War Studies, King's College London, who – as he emphasized – believes that the publication of this code “is not necessary”.
Despite this – in his opinion, as well as in the opinion of other experts commenting on the case for PAP – the ministry did not behave transparently when publishing the above-mentioned fragments. We cannot learn from them how the application works or how it secures our data, Haertle noted. “From a security point of view, nothing has changed,” he said, adding that the published code elements can be recreated in advance, e.g. by downloading the application and analyzing its content.
In fact, mObywatela's sources have not been published (…). What's published is the form factor, not how the app works. It's like revealing the color of a car's hood without opening it to announce an engine inspection, Olejnik said.
Concerns about tracking and lack of audit
In turn, cybersecurity specialist and creator of the Blog Informatyk Zakładowy, Tomasz Zieliński, pointed out that mObywatel is a very useful tool, but some users may be concerned whether it has undesirable functions, e.g. location tracking or secret transmission of images from the phone's camera. “Access to the application's source code would allow independent experts to confirm that no such thing is happening. It would also increase the transparency of government administration activities,” Zieliński emphasized.
“For me, true transparency is the ability to audit the real logic of action, not just watching the visual effect. Without the entire code it is impossible to be 100 percent sure. determine whether the application is written to the highest standards” – noted cybersecurity expert Beata Zalewa. “Since the application was created with public money, I would like to be able to independently verify its mechanisms to make sure that my data is safe and the system does not contain hidden tracking functions,” she added.
She pointed out that the Ministry of Digitization “announced success” by declaring on the What was published, in her opinion, were “irrelevant elements” of code that could already be reproduced using free tools.
“As if someone assumed that there were no people among the citizens who remembered what was promisedthey will evaluate what has been delivered and connect the dots. And who will speak loudly about the fact that this was not the agreement. I believe it would be better to honestly admit that full publication of the code is impossible rather than to serve the code in this format,” Zalewa said.
mObywatela source code only for selected people
Łukasz Olejnik noticed that in order to view fragments of code, you had to first authenticate yourself, and the viewing itself – he said – was highly difficult. “It's hard to understand why this was done. If it was to make it more difficult to view and download the code, it didn't help much. The code was posted on GitHub (platform for developers – PAP) within a few hours,” said the expert. According to Adam Haertle, downloading the published fragments of the source code “was difficult”, probably due to the “rather absurd opinion of the CSIRT of the Ministry of National Defence”.
As Tomasz Zieliński noted, over 90 percent code were classified based on advice from national CSIRTs, most of which was also classified. “The opinion of the CSIRT of the Ministry of National Defense, which is the only one of the three opinions that is public, confirms that opening the source code can bring social benefits,” Zieliński noted. As he explained, the authors of the opinion emphasized that such a process requires preparation at the organizational level, e.g. ensuring that redundant information is not included in comments in the source code. According to Zieliński, some of the recommendations of the Ministry of National Defense, e.g. the request to limit the group of recipients only to Polish citizens, were incomprehensible to the experts.
“Company IT Specialist” also emphasized that only some of the elements of the mObywatela code are of critical importance for state securitythe ministry could therefore exclude only these fragments from publication. “There is nothing stopping us from revealing the template of the screen displaying mID data or the procedure for operating the buttons available on this screen,” he said.
According to Łukasz Olejnik, the publication of fragments of the mObywatela source code on December 29 is “an interesting performance to make the Christmas break more enjoyable“As he added, “more seriously,” the publication of code fragments in the discussed format “may paradoxically reduce trust in the state.”
Beata Zalewa assessed the form of publishing fragments of the mObywatela source code as: “a facade intended only to pretend openness” (so-called open-washing), and Adam Heartle – as “security theater”.
“Mockery of citizens” after 2.5 years of work
Tomasz Zieliński noted that the Ministry of Digital Affairs and the Central IT Center, which is responsible for the technical side of mObywatel, had 2.5 years to prepare for the publication of the code. “Taking this into account, the ministry's action is a mockery of citizens and the Minister of Digitization simply ignored his obligation,” said the expert.
Originally, the code was to be published within a year of the entry into force of the Act, i.e. in mid-July 2024. However, at the beginning of July last year. The Act on Assistance to Citizens of Ukraine entered into force, which changed some provisions of the Act on mCitizen.
The Act on Assistance to Citizens of Ukraine states that the code may be published after the Ministry of Digital Affairs obtains the opinion of the CSIRT GOV, which is supervised by the Internal Security Agency; CSIRT MON and CSIRT NASK, “to the extent that does not threaten the security of this application and its users or the mObywatel system.”
“In accordance with the Act on the mObywatel application, after receiving opinions from CSIRT MON, CSIRT ABW and CSIRT NASK, part of the source code of the mObywatel application was published in the Public Information Bulletin of the Ministry of Digitization to the extent resulting from the recommendations of CSIRTs” – the ministry reported on the website on December 29 last year.
There are three national Computer Security Incident Response Teams in Poland: CSIRT NASK, CSIRT GOV and CSIRT MON. They were established by the Act on the National Cybersecurity System of 2018. Each CSIRT is responsible for coordinating incidents reported by entities assigned in accordance with the Act. Their tasks also include recognizing, preventing and detecting threats to security.
Monika Blandyna Lewkowicz (PAP)
mbl/drag/
