For millions of developers around the world, using GitHub, Bitbucket, and other git services is as routine as opening a word document.
These platforms make it possible for teams—ranging from large tech corporations to indie programmers—to work together on the same coding project, often in real time. But this convenience comes with risks.
Git services often host valuable and sensitive code, including artificial intelligence models and proprietary software.
That makes them attractive targets for hackers and vulnerable to malicious code injections.
Now, researchers from the University of Sydney, working with international collaborators, have developed a solution: end-to-end encryption designed specifically for git services.
Their approach promises to bring the same level of privacy and protection that messaging apps like WhatsApp use to keep conversations secure, but for software code instead.
End-to-end encryption (E2EE) secures data from the moment it leaves the sender until it reaches the intended recipient. Even if the platform itself is compromised, the data remains unreadable to outsiders.
For software developers, this could mean that their code is finally protected against both leaks and tampering. “Just like we want our messages to be private and safe, the IT industry also wants their code to be protected,” said Associate Professor Qiang Tang from the University of Sydney’s School of Computer Science.
“End-to-end encryption is currently the gold standard to protect data.”
The research comes at a time when attacks on code repositories are becoming more common. Earlier this year, the cryptocurrency exchange Coinbase was targeted, and in 2022, identity management company Okta suffered a breach in which source code was stolen.
These incidents highlight the urgent need for stronger safeguards in the systems that store and share code.
Until now, adding end-to-end encryption to git services has been a challenge. Unlike messaging apps, where the content of a conversation changes slowly or not at all, code repositories are constantly updated with thousands of edits.
Encrypting an entire project every time a line of code changes would use huge amounts of computing power and bandwidth, making the process impractical.
The Sydney-led team solved this problem with an innovative compromise. Instead of encrypting the entire repository each time, their system encrypts only the changes. If a single word is deleted from a file, only that change is encrypted and recorded, not the whole project. This character-level encryption approach keeps overheads minimal, saving storage space and bandwidth while maintaining security.
Another challenge was ensuring that edits could still be tracked and verified, which is essential for collaborative coding. Without this, malicious actors could sneak harmful code into projects under the radar. The team’s framework addresses these subtle requirements, making the encryption system both practical and trustworthy.
The new encryption method has already been tested successfully on existing git services and public repositories. Results will be formally presented at the ACM Conference on Computer and Communications Security in October. The researchers plan to introduce their system to mainstream git services, and they may also release it as open source to allow wider adoption.
Collaborator Moti Yung, a distinguished research scientist at Google, called the project a vital step in the evolution of git services. “As computing ecosystems mature, we must deal with less trusted and malicious players,” he explained. “This system is a necessary step toward the maturity of git services.”
By bringing end-to-end encryption to the backbone of modern software development, the researchers are aiming to create what is, in effect, a security box for the world’s code. If widely adopted, their breakthrough could make the software that underpins our digital world far more resilient to attack.
