Let's say for example Bitwarden: How do I know, the app I am installing from the App Store, is running the code that is Open Source and not something else?
You can’t even tell that with 100.000% confidence of code you write by hand using ‘echo’ and run locally.
In the end you have to trust your OS. If you write that yourself, you have to trust the CPU. If you build that yourself using discrete components, you have to trust that nobody sneaked a CPU into what you think is a simple NAND gate, or into a wire you used (https://developer.arm.com/ip-products/processors/cortex-m/co... tells me a 32-bit ARM CPU can be 0.008 mm² and use 5.3 μW/MHz. An attacker probably would need some extras such as memory, but _if_ you happen to be worth it to an attacker with huge resources, these things could end up in surprising places, so you would have to get out your microscope, and look at every single component in detail)
With iOS, the ‘only’ addition is that you have to trust Apple, too. It could change the binary, put code in iOS to change what’s running, etc.
Something similar from Israel [1], the official Corona tracking app was supposed to be based on Open Source.
They decompiled the APK, and moved on from there. Note that the code itself is not everything, there are configuration files, databases and some data that comes with the app
Someone|5 years ago
In the end you have to trust your OS. If you write that yourself, you have to trust the CPU. If you build that yourself using discrete components, you have to trust that nobody sneaked a CPU into what you think is a simple NAND gate, or into a wire you used (https://developer.arm.com/ip-products/processors/cortex-m/co... tells me a 32-bit ARM CPU can be 0.008 mm² and use 5.3 μW/MHz. An attacker probably would need some extras such as memory, but _if_ you happen to be worth it to an attacker with huge resources, these things could end up in surprising places, so you would have to get out your microscope, and look at every single component in detail)
With iOS, the ‘only’ addition is that you have to trust Apple, too. It could change the binary, put code in iOS to change what’s running, etc.
If you are concerned about that, don’t use iOS.
lolftw|5 years ago
The advantage of Android is that you can get the apk from a trusted source or build it yourself, right?
Jaxkr|5 years ago
The Reproducible Builds project https://reproducible-builds.org/ exists to solve this problem.
2rsf|5 years ago
They decompiled the APK, and moved on from there. Note that the code itself is not everything, there are configuration files, databases and some data that comes with the app
[1] https://cybercyber.co.il/?p=151 (use Google translate from Hebrew)
lolftw|5 years ago
hboon|5 years ago