Ask HN: How to be sure that an app on a store is running the open source code?
Let's say for example Bitwarden: How do I know, the app I am installing from the App Store, is running the code that is Open Source and not something else? You can’t even tell that with 100.000% confidence of code you write by hand using ‘echo’ and run locally. In the end you have to trust your OS. If you write that yourself, you have to trust the CPU. If you build that yourself using discrete components, you have to trust that nobody sneaked a CPU into what you think is a simple NAND gate, or into a wire you used (https://developer.arm.com/ip-products/processors/cortex-m/co... tells me a 32-bit ARM CPU can be 0.008 mm² and use 5.3 μW/MHz. An attacker probably would need some extras such as memory, but _if_ you happen to be worth it to an attacker with huge resources, these things could end up in surprising places, so you would have to get out your microscope, and look at every single component in detail) With iOS, the ‘only’ addition is that you have to trust Apple, too. It could change the binary, put code in iOS to change what’s running, etc. If you are concerned about that, don’t use iOS. > If you are concerned about that, don’t use iOS. The advantage of Android is that you can get the apk from a trusted source or build it yourself, right? Yes, you can, but even then, you can’t be 100.000% certain that that code will get executed. Google, your phone manufacturer, big brother, etc. _could_ detect that you’re running Foo and do Bar instead. Most people shouldn’t worry about that, though. I would be more worried about ‘them’ listening to what you do than about ‘them’ changing what you do (and if they want to, ‘they’ likely can do that easier outside your app or even outside your phone than on it) As to iOS, if you can get the source, you can build and install apps yourself on iOS, too, with the disadvantage that you will have to reinstall the app every x days (executables signed for debugging have an expiry date), with ‘x’ relatively short (a few weeks, IIRC) With the tools available on an iPhone, you can’t! This is a big deal and an important question! The Reproducible Builds project https://reproducible-builds.org/ exists to solve this problem. Something similar from Israel [1], the official Corona tracking app was supposed to be based on Open Source. They decompiled the APK, and moved on from there. Note that the code itself is not everything, there are configuration files, databases and some data that comes with the app [1] https://cybercyber.co.il/?p=151 (use Google translate from Hebrew) Precisely. My concern was raised thinking about contact tracing apps. I'll have a look at the link you shared, thank you! Telegram has this https://core.telegram.org/reproducible-builds