Oddbean new post about | logout
ManiMe | 6 months ago (raw) | root | parent | reply | flag 
 Who’s to say that the “live” version you are using is the same as the codebase you are looking at? 

Not all software is checksumed. And even if it were… how wd you verify App Store installs?

Web clients are easier to verify … but only by “naked eye” inspection of the ENTIRE codebase downloaded to your browser. 

And if the client has a back end API at all … any server (including any relay) can be set up with backdoors for access to database or raw traffic. No telling what’s running in a black box server. Ever.
Hazey | 6 months ago (raw) | root | parent | reply | flag 
 It isn't hard to look in source code for connections made by the client (should be none outside of the chosen relays). But it is not practical to personally audit the source of every app you use

Obtainium removes some intermediaries like play store as you get a build of what is on GitHub.

F-droid does its own builds and has stricter policies and does some auditing. Aurora store does some privacy auditing of binaries. You have to trust them though

No easy answers