Provide verifiable builds about apollo HOT 8 CLOSED

Instructions for reproducible build are published in: https://github.com/muun/apollo/blob/master/BUILD.md#reproducible-build
I also created another Containerfile to compile the app at: #16 (comment)
So you can retest it and publish newer report at: https://walletscrutiny.com/android/io.muun.apollo/ which currently show FTBTS (fail to build from source) for older version which is not the case anymore for newest version 45.1

from apollo.

Hey @Giszmo, thanks for taking the time to analyze the app and report your results!

We'll add clear instructions for building, and research the viability of having reproducible builds.

Sadly, it appears that the mobile ecosystem is moving in a direction where reproducible builds are harder and harder: https://developer.android.com/platform/technology/app-bundle

from apollo.

Hi @esneider , yes, app bundles are a big concern of mine, too but that only makes me hurry more with this project as only education can help to get people to care.

App Bundles are a nightmare to me as they mean that Google gets the release keys and the developer doesn't. This is shifting all trust to Google.

With App Bundles, the developer can assign permissions and revoke them on a per key basis, assuming the release key doesn't leak but it leaves the device vulnerable to Google being evil and sending to whatever target for whatever reason a correctly signed but bad version of your software.

Sure, the system as it always was, also is flawed, as you can't force an ex-employee to delete the signing key but to simply trust Google to not be evil appears to me the way worse solution.

Spread the word and hope you are not using App Bundles already. If you are, please let me know as this would be of special interest as it would mean that we would have to analyze a combinatory explosion of apps and collecting them alone could be difficult. I assume though that the diff would be in missing files compared to the bundle, only, so verification would still work.

from apollo.

We aren't using app bundles, and we don't plan to use them in the near future.

Since Google controls the operating system, the support library, the play services, etc, almost every Android app is already vulnerable to them being evil. I don't think that having reproducible builds protects you from them. It does protect you against other attack vectors though.

from apollo.

We aren't using app bundles, and we don't plan to use them in the near future.

Great! Same here. And I strongly hope there is enough of us so Google can't just force us.

Since Google controls the operating system, the support library, the play services, etc, almost every Android app is already vulnerable to them being evil. I don't think that having reproducible builds protects you from them. It does protect you against other attack vectors though.

There are people who do not install the Google apps and keep an open stack. Android is still open source after all. I must admit investigating dependencies and their openness and reproducibility in case binaries are used, is still on my todo-list. Do you know that some of those dependencies we all use on Android are not open source?

from apollo.

Google play services isn't open source for sure. The rest I don't know.

from apollo.

We'll add clear instructions for building, and research the viability of having reproducible builds.

3 months passed. How is the progress on this?

from apollo.

We have updated the instructions for building, and we won't be producing reproducible builds for the time being.

from apollo.