How to make sure that the Android application is really compiled from the specified source code?

Question

How to make sure that the Android application is really compiled from the specified source code?

Many Android apps are open source, but how can we make sure that a user who is finally downloading to the Google Market does not include some spyware before downloading?

Background: Mobile app security seems to be a growing issue , and I would like to reassure users of my open source Android app. Solutions requiring changes to the deployment process or application content are also acceptable.

2012 update: This is going in the right direction: http://f-droid.org/ They test applications and compile them into the apk that they distribute. Having said that, I will trust them more if they were Mozilla or Apache ...

+4

android security open-source toolchain spyware

Nicolas raoul Jun 24 '10 at 5:54

source share

1 answer

Greg s · Answer 1 · 2010-06-24T08:00:04+0000

See https://stackoverflow.com/questions/249106/how-can-you-give-users-confidence-that-your-application-has-no-malicious-intent for some related information.

Of course, you can take the source code and compile / compile it yourself and compare the resulting binary with the downloaded one, but this somehow defeats the goal of binary distribution. And this still will not help in cases where the source code contains malicious code. Or maybe create a safe one, i.e. Trusted reference binary, and then publish the checksum for comparison?

Also, this problem is really not specific to open source software. In the end, it all comes down to trust.

How to make sure that the Android application is really compiled from the specified source code?

More articles: