
Ask HN: How to be sure that an app on a store is running the open source code? - lolftw
Let&#x27;s say for example Bitwarden: How do I know, the app I am installing from the App Store, is running the code that is Open Source and not something else?
======
Someone
You can’t even tell that with 100.000% confidence of code you write by hand
using ‘echo’ and run locally.

In the end you have to trust your OS. If you write that yourself, you have to
trust the CPU. If you build that yourself using discrete components, you have
to trust that nobody sneaked a CPU into what you think is a simple NAND gate,
or into a wire you used ([https://developer.arm.com/ip-
products/processors/cortex-m/co...](https://developer.arm.com/ip-
products/processors/cortex-m/cortex-m0) tells me a 32-bit ARM CPU can be 0.008
mm² and use 5.3 μW/MHz. An attacker probably would need some extras such as
memory, but _if_ you happen to be worth it to an attacker with huge resources,
these things could end up in surprising places, so you would have to get out
your microscope, and look at every single component in detail)

With iOS, the ‘only’ addition is that you have to trust Apple, too. It could
change the binary, put code in iOS to change what’s running, etc.

If you are concerned about that, don’t use iOS.

~~~
lolftw
> If you are concerned about that, don’t use iOS.

The advantage of Android is that you can get the apk from a trusted source or
build it yourself, right?

~~~
Someone
Yes, you can, but even then, you can’t be 100.000% certain that that code will
get executed. Google, your phone manufacturer, big brother, etc. _could_
detect that you’re running Foo and do Bar instead. Most people shouldn’t worry
about that, though. I would be more worried about ‘them’ listening to what you
do than about ‘them’ changing what you do (and if they want to, ‘they’ likely
can do that easier outside your app or even outside your phone than on it)

As to iOS, if you can get the source, you can build and install apps yourself
on iOS, too, with the disadvantage that you will have to reinstall the app
every x days (executables signed for debugging have an expiry date), with ‘x’
relatively short (a few weeks, IIRC)

------
Jaxkr
With the tools available on an iPhone, you can’t! This is a big deal and an
important question!

The Reproducible Builds project [https://reproducible-
builds.org/](https://reproducible-builds.org/) exists to solve this problem.

------
2rsf
Something similar from Israel [1], the official Corona tracking app was
supposed to be based on Open Source.

They decompiled the APK, and moved on from there. Note that the code itself is
not everything, there are configuration files, databases and some data that
comes with the app

[1] [https://cybercyber.co.il/?p=151](https://cybercyber.co.il/?p=151) (use
Google translate from Hebrew)

~~~
lolftw
Precisely. My concern was raised thinking about contact tracing apps. I'll
have a look at the link you shared, thank you!

------
hboon
Telegram has this [https://core.telegram.org/reproducible-
builds](https://core.telegram.org/reproducible-builds)

