Oddbean new post about | logout
Garrett | 17 days ago (raw) | root | parent | reply | flag 
 unfortunately, I am too stupid to know. I just know that the red alert looks scary.
dvdc | 17 days ago (raw) | root | parent | reply | flag 
 I agree that the red alert looks scary. I wasn’t aware this was what the app looked like while I was still figuring out my open-source strategy. I think I will delist it for now. Thanks for bringing this to my attention.

Unfortunately, just because a developer publishes source code for the app doesn't mean that's the source code you downloaded in the app. This is a complex problem that I’m not sure is solvable.
Garrett | 17 days ago (raw) | root | parent | reply | flag 
 Isn't this is what the APK signature is for? To make sure the apk package hasn't been tampered with after publishing?
dvdc | 17 days ago (raw) | root | parent | reply | flag +1 
 Sure, but how do you know the APK is the repository's source code? I can sign a malicious APK, and the signature will still be valid.
Garrett | 17 days ago (raw) | root | parent | reply | flag 
 I simply do not know
dvdc | 17 days ago (raw) | root | parent | reply | flag +1 
 Neither do I, which is why I'm skeptical of “open-source” apps and view them as a form of security theater: something that appears more secure but isn't.

The worst thing that can happen is that, in the name of open source, an app developer accidentally publishes secrets, which allows an attacker to publish a malicious version of the app that leaks every user key.

If I publish the source of my app, I will take care to ensure that the source code can't be built and released maliciously.
dvdc | 17 days ago (raw) | root | parent | reply | flag +1 
 I appreciate your humility.