On 19/05/17 21:00, Hans-Christoph Steiner wrote: > > With iOS, you need to use Apple tools to decrypt your official app > binary, so there is no way to verify that Apple isn't inserting > anything. With Android, we'll still be able to compare APKs. So if you > submit an app that was reproducibly built, then you can compare the > Google APK to your own and see the differences.
If I understand right, one of the selling points for GPAS is that Google will optimise your app, so the optimised APK (or multiple APKs optimised for different devices) won't be reproducible unless Google's optimisations are reproducible (which presumably Google doesn't expect them to be, otherwise the optimiser would be shipped with Android Studio rather than run on the server). > That would not protect users from targeted malware, like what the FBI > wanted to do in FBI v. Apple. Google can now join Apple in potentially > providing that as a service. Agreed. > This is why in F-Droid we have put a big emphasis on treating the server > as a threat. We want to make it as difficult as possible for a > malicious server to do targeted software delivery. Then we're also > working to make it as easy as possible for anyone to setup automated > auditing systems like https://verification.f-droid.org. That's awesome work, and it looks like it's about to get more important than ever. Cheers, Michael > .hc > > Natanael: >> Is there any plausible way to get them to only apply verifiable >> modifications? Such as compression using algorithms proven to preserve >> original behavior? >> >> I'm aware that would require a ton of resources (both in development and >> computationally), but is it doable? >> >> - Sent from my phone >> >> Den 19 maj 2017 16:12 skrev "Nathan of Guardian" < >> [email protected]>: >> >>> On Fri, May 19, 2017, at 07:29 AM, Michael Rogers wrote: >>>> Paranoid people might suspect that this simultaneous move by Apple and >>>> Google is the result of political pressure to provide some means of >>>> adding/removing functionality, such as end-to-end encryption. >>> >>> You read my mind. >>> >>> +n >>> _______________________________________________ >>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev >>> To unsubscribe, email: [email protected] >>> >> >
0x9FC527CC.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To unsubscribe, email: [email protected]
