Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

When thinking about which messaging solution to use on my new \"smart\"phone I r

ID: 656744 • Letter: W

Question

When thinking about which messaging solution to use on my new "smart"phone I reflexively tended towards open source products, figuring that I could trust these more to actually provide the security they promise.

Now that I have decided which to use and installed the app from an app store, I have been asking myself: even if I had checked the source code (I'll admit I have just been assuming that someone did), how could I know that that is what I installed?

I see at least two potential attack vectors:

1. The app provider can ship different code than what they publish (e.g. via Github).
2. The app store owner (i.e. Google, Apple, ...) can change the shipped code.

I estimate that as little as one or two extra (or missing) lines can render even the most solid setup completely open to attack without the user being the wiser.

So, is there a way (preferably an automated one) to verify that the apk I downloaded from the app store matches the code I can see elsewhere?

Explanation / Answer

Here is an idea of how you could verify the integrity of source code in a binary package:

Download the apk from a distributer, such as Google Play, and store the apk locally. Then compile the source code into an apk to create a sort-of identical version of the app.

Then do a binary comparison of 2 apk files and look for any differences and note their location. Then, disssemble both items with a tool such as IDA Pro and mnually check what the differences in the code are.

You can expect some differences, because the signing certificates wont match, but the underlying code should be the same, if not identical.

As an example, you might see that google version of the app has several functions that are not present in source, which can indicate some modifications to the original source.

Related Questions

When the twin Mars exploration rovers, Spirit and Opportunity, set down on the s
Question #1689557
When the twin Mars exploration rovers, Spirit and Opportunity, set down on the s
Question #2217811
When the twin Mars exploration rovers, Spirit and Opportunity, set down on the s
Question #2218224
When the two blocks in the simulation have different masses the system is initia
Question #1528131
When the two diastereomeric bromides below are treated with acetic acid to give
Question #931333
When the two diastereomeric bromides below are treated with acetic acid to give
Question #931408
When the two number cubes are rolled, the one with the larger number is the winn
Question #3133483
When the user clicks a JCheckBox, a(n) _________ occurs. A) CheckedEvent B) Butt
Question #3932451
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
When thinking about testability and modular code, I recently thought about wheth
Next
When thirty mL of a 0.2000 M solution of sodium oxalate (Na2C2O4) is added to 25

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.