Ask HN: How to be sure that an app on a store is running the open source code? Let's say for example Bitwarden: How do I know, the app I am installing from the App Store, is running the code that is Open Source and not something else? |
Ask HN: How to be sure that an app on a store is running the open source code? Let's say for example Bitwarden: How do I know, the app I am installing from the App Store, is running the code that is Open Source and not something else? |
In the end you have to trust your OS. If you write that yourself, you have to trust the CPU. If you build that yourself using discrete components, you have to trust that nobody sneaked a CPU into what you think is a simple NAND gate, or into a wire you used (https://developer.arm.com/ip-products/processors/cortex-m/co... tells me a 32-bit ARM CPU can be 0.008 mm² and use 5.3 μW/MHz. An attacker probably would need some extras such as memory, but _if_ you happen to be worth it to an attacker with huge resources, these things could end up in surprising places, so you would have to get out your microscope, and look at every single component in detail)
With iOS, the ‘only’ addition is that you have to trust Apple, too. It could change the binary, put code in iOS to change what’s running, etc.
If you are concerned about that, don’t use iOS.
The advantage of Android is that you can get the apk from a trusted source or build it yourself, right?
As to iOS, if you can get the source, you can build and install apps yourself on iOS, too, with the disadvantage that you will have to reinstall the app every x days (executables signed for debugging have an expiry date), with ‘x’ relatively short (a few weeks, IIRC)
The Reproducible Builds project https://reproducible-builds.org/ exists to solve this problem.
They decompiled the APK, and moved on from there. Note that the code itself is not everything, there are configuration files, databases and some data that comes with the app
[1] https://cybercyber.co.il/?p=151 (use Google translate from Hebrew)