Root, and a community of people that you trust who are incentivized to audit the contents of whatever updates you install, and the infrastructure to bind that trust to those updates in a scalable and trustworthy way. And tools for catching apps being shady so you can revoke trust in auditors that blessed a bad one.
Root is kind of like the wooden sword in Zelda, it's where the journey begins.
Which dungeon is next is an open question but I'd propose something that installs packages by cryptographic hash so that whatever community we build for trusted packages can publish signed predicates referring to the trustworthiness of their referents without having to also host the packages themselves (given that servers which resolve names to packages become high-value targets and probably shouldn't be trusted). nix-on-droid seems like it could be modified to do this.
I wish that community effort actually worked, but the truth is almost no one reviews 99% of the open source libraries linked into every app, let alone the binary blob drivers and OMA-DM toolkits with root access to your phone controlled by Apple/Google and Qualcomm.
Truly no e2ee chat is safe if even one person accesses it from a smartphone with code the community cannot review, or is not actively reviewing.
Until we have 100% open code on endpoints with auditable hardware (like the Precursor) and have crowd sourced signed code reviews... we are vulnerable to any company, state actor, or teen that phishes the credentials to an NPM repo.
The state of software supply chain integrity today is about as good as hospital sanitation practices in the 1800s.
Communities coming together to protect themselves against a common enemy is something that we've been doing for perhaps a million years. We're actually quite good at it. But there hasn't yet been a market for tooling that brings those instincts into the realm of software. So far it has been "trust us, we're the vendor," and not "let's use this to trust each other but not our enemy".
I agree that our software supply chains are in their infancy. Regrettably, so is our ability to use software to inflict harm (if you haven't played Cyberpunk 2077, it has a pretty good take on this--you spend a lot of time killing people by hacking into their implants). I hate to be gloomy, but I think that as the threats become more real, more deadly, the supply chain integrity piece will have to level up as well.
Root is kind of like the wooden sword in Zelda, it's where the journey begins.
Which dungeon is next is an open question but I'd propose something that installs packages by cryptographic hash so that whatever community we build for trusted packages can publish signed predicates referring to the trustworthiness of their referents without having to also host the packages themselves (given that servers which resolve names to packages become high-value targets and probably shouldn't be trusted). nix-on-droid seems like it could be modified to do this.