Viewing a single comment thread. View all comments

SirCB85 t1_j9xso2m wrote

Reply to comment by carlosvega in Signal CEO: We “1,000% won’t participate” in UK law to weaken encryption by ActivePersona

They allow you to compile your own executable kf the app from the code visible on GitHub (for Systems that allow sideloading, sorry Apple fans).

7

carlosvega t1_j9y2aau wrote

Yeah, that I know, but I was wondering if they publish the md5 of the apk or compiled app so that you can test later on or something. Or if it’s possible to check the md5 of the downloaded apps from the store. I am not sure why I am downvoted, I think it is a legitimate question.

Some bad guys could fork the app, add some changes and publish it in third party stores.

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/open-source-apps-google-play

Something similar to this: https://www.infosecurity-magazine.com/news/malicious-python-libraries-found/

And I am not the first one asking this question:

https://opensource.stackexchange.com/questions/11098/what-guarantees-that-the-published-app-matches-the-published-open-source-code

Edit: a colleague just shared this with me! https://signal.org/blog/reproducible-android/

3