With iOS, you need to use Apple tools to decrypt your official app binary, so there is no way to verify that Apple isn't inserting anything. With Android, we'll still be able to compare APKs. So if you submit an app that was reproducibly built, then you can compare the Google APK to your own and see the differences.
That would not protect users from targeted malware, like what the FBI wanted to do in FBI v. Apple. Google can now join Apple in potentially providing that as a service. This is why in F-Droid we have put a big emphasis on treating the server as a threat. We want to make it as difficult as possible for a malicious server to do targeted software delivery. Then we're also working to make it as easy as possible for anyone to setup automated auditing systems like https://verification.f-droid.org. .hc Natanael: > Is there any plausible way to get them to only apply verifiable > modifications? Such as compression using algorithms proven to preserve > original behavior? > > I'm aware that would require a ton of resources (both in development and > computationally), but is it doable? > > - Sent from my phone > > Den 19 maj 2017 16:12 skrev "Nathan of Guardian" < > [email protected]>: > >> On Fri, May 19, 2017, at 07:29 AM, Michael Rogers wrote: >>> Paranoid people might suspect that this simultaneous move by Apple and >>> Google is the result of political pressure to provide some means of >>> adding/removing functionality, such as end-to-end encryption. >> >> You read my mind. >> >> +n >> _______________________________________________ >> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev >> To unsubscribe, email: [email protected] >> > -- PGP fingerprint: EE66 20C7 136B 0D2C 456C 0A4D E9E2 8DEA 00AA 5556 https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556 _______________________________________________ List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To unsubscribe, email: [email protected]
