Fact vs. Fiction: Why PDFium Is the Most Trusted Platform for PDF Rendering

From the desk of Jonathan Rhyne, Co-Founder and CEO of PSPDFKit

In recent years, there have been several myths and misconceptions regarding the security of open source technology (in general), as well as the use of open source technology within PDF toolkits and platforms. So, to help both our existing and potential customers separate the reality from the myth, I’m starting a new series on our blog called Fact vs. Fiction.

In this series, we’ll focus on various aspects of security and demystify some of the misconceptions that have been floating around. Today, I’ll tackle open source and PDFium, and in the future, other contributors will write about additional topics.

Purpose and Intended Audience

This article is aimed at decision makers who work for companies that are in the process of choosing a trusted technology partner for PDF processing, manipulation, and rendering. Whether you have a custom web, desktop, or mobile application, we understand that managers and decision makers need to be well-informed and equipped with all the facts to make such an important decision.

So, in the first article in the series, I’ll analyze some of the myths and misconceptions regarding the security of open source, as well as the open source technology used and trusted by literally billions of people (no, that’s not a typo) around the world. My goal is to help you, the reader, come to your own conclusions about what really is fact versus what is fiction.

Myth #1 — Open Source Technology Is Insecure Because the Source Code Is Open to the Public

Have you ever heard anyone say: “Open source technology is insecure because all the source code is completely open to the public?” Unfortunately, this is one of the biggest myths regarding open source technology, and it’s typically used by companies who’d rather spend their resources attacking their competition as opposed to innovating or contributing to a community. So let’s analyze this argument a bit further.

Fact #1 — You’re Probably Already Using Open Source Technology and You Don’t Even Know It

Just take a look at the latest statistics in Figure 1 below from the independent market research site statcounter.com regarding the global usage of web browsers.

Figure 1 — Browser Market Share Worldwide (June 2022)

As you can see, Google Chrome dominates the market with a whopping 65 percent of the global market share. And when you add up all the statistics for the top four browsers (Chrome, Safari, Edge, and Firefox), you see that all the major browsers command a combined total of more than 91 percent of the global market. And in case you were unaware, all of those web browsers are either fully open sourced, or they embed open source technology. So now think about this conclusion personally: If you use Google Chrome, Apple Safari, Microsoft Edge, or Mozilla Firefox, you’re already using open source technology. That’s a fact.

Another major thing to consider: If your company (or business) standardizes on any of the web browsers above, then they’re standardizing on tools that are (or embed) open source technology.

Now take a look at Figure 2 below, illustrating how many people worldwide use open source web browsers, to see how ubiquitous and pervasive open source software is.

Figure 2 — Infographic: Worldwide Usage of Open Source Web Browsers (June 2022)

At PSPDFKit, we adopted the use of the open source platform PDFium within our tools and APIs for developers. And with that, let’s address another myth.

Myth #2 — PDFium Is an Insecure PDF Rendering Engine

Now, without getting into the technical details of the various PDF specifications and how PDF toolkits (such as PSPDFKit) work, understand that PDF tools and toolkits are typically split into two parts. One part reads and processes the text and binary information encapsulated inside a PDF document (this part is typically called the PDF parser). The other part is responsible for taking the parsed information (text, images, etc.) inside the PDF document and visualizing it for the user (this part is called the PDF renderer).

Figure 3 — The Architecture for PDF Tools Such as PSPDFKit Is Split Into Two Parts: PDF Parsers and PDF Renderers

Now, although we evidently demonstrated the widespread and ubiquitous use of open source technology, some may argue that, in particular, the open source PDF renderer PDFium is inherently insecure. So, again, let’s look at the facts.

Fact #2 — Some of the Biggest Companies in the World Participate in the Community to Contribute to (or Use) PDFium Today

I love arguing this point because I can let the facts speak for themselves. Guess what Google, Microsoft, Amazon, Dropbox, and (yes) PSPDFKit all have in common? All of us are either contributors to the publicly available PDFium open source project, and/or we directly embed PDFium in the products we create for our end users. That’s a fact.

• Google uses PDFium inside Chrome (the most widely used browser in the world).

• Microsoft uses PDFium inside Edge (the default web browser in Windows 10 and 11).

• Amazon uses PDFium inside Amazon Echo and Fire TV products.

• Dropbox uses PDFium inside its client tools to preview files.

Figure 4 — PSPDFKit Participates in a Community of Users and Contributors to the Open Source PDFium Project, Alongside Google, Microsoft, Amazon, and Dropbox

Fact #3 — PDFium Is an Active and Well-Maintained Open Source Project

As an active member of this vibrant and evolving community, PSPDFKit is passionate about and dedicated to the success, stability, and security of the open source PDFium project, which is continuously maintained and improved with new features that are channeled back to our customers.

Have you ever heard the phrase, “If you want to go FAST, then go alone, but if you want to go FAR, then go together?”

This is the mindset I instill in every employee at PSPDFKit, and it’s why we participate in the community of PDFium users and contributors. In this community, each company has its own business case and reasoning for embedding PDFium within individual platforms, however, we’re jointly committed to the success of the project.

Conclusion

I’m leading the charge with this first article in our Fact vs. Fiction series, and I strongly encourage you (the reader) to click on the links in the sources cited here to see the facts for yourself. At the end of the day, draw your own conclusion. 🙂

Sources

• The list of companies that contribute to PDFium, which include Google, Microsoft, and Dropbox

• The list of open source software used by Amazon Echo devices, which includes PDFium

• The Dropbox.Tech blog discussing the performance of PDFium in Dropbox software

• Microsoft Edge uses Chromium, which includes PDFium