Code auditing service 🤔 

 Nobody is auditing the code. We find out when a dev stumbles upon a bug through sheer luck.  

 I’m wondering how many people are going through the code? Also Mullvad is an open source VPN but they require access to your private key for generating a WireGuard config, there's no option to generate it solely with the public key. Consequently, they have the capability to monitor your traffic in plaintext in every scenario. But we are being shared Mullvad all over across under the claim “open source” 

 Mullvad does not need your private key to generate a wireguard config. They do not need your private key for anything. 

 Who’s to say that the “live” version you are using is the same as the codebase you are looking at? 

Not all software is checksumed. And even if it were… how wd you verify App Store installs?

Web clients are easier to verify … but only by “naked eye” inspection of the ENTIRE codebase downloaded to your browser. 

And if the client has a back end API at all … any server (including any relay) can be set up with backdoors for access to database or raw traffic. No telling what’s running in a black box server. Ever.  

 It isn't hard to look in source code for connections made by the client (should be none outside of the chosen relays). But it is not practical to personally audit the source of every app you use

Obtainium removes some intermediaries like play store as you get a build of what is on GitHub.

F-droid does its own builds and has stricter policies and does some auditing. Aurora store does some privacy auditing of binaries. You have to trust them though

No easy answers