Reputation: 21025
How does one verify that the app store version of an open source app is running the same code?
There are many "open source" apps like K-9 mail on the android app store. If I compile and build the source code myself, I can be sure that the resulting apk, will indeed do what the source code says it will do.
But how can I verify, that the apk submitted to the store is actually the result of compiling the same source ? What is to stop the makers of k9 of inserting malicious code in the version submitted to the app store ? I don't see any hash, or other way of verifying the source.
(K-9 is just an example).
Upvotes: 1
Views: 174
Answers (1)
Reputation: 1007296
Compare the contents of the APKs: the one you pull off the device (that you got from the Play Store or wherever) and the one that you compiled yourself. If the compiled classes differ, then there may be cause for deeper investigation. It's possible the differences come from differences in compilers, bytecode converters, or obfuscator settings. Or, it's possible that the differences are indicative of "malicious code". That work is up to you.
Or, use a store like F-Droid that compiles from source itself.
Or, just use the version that you compiled from source yourself.
Upvotes: 1
Related Questions
- Is there a way to check the Play Store app versionCode?
- Verify Android apk has not been repackaged?
- Android - compare app version number between my app and google play market
- Check for app new version in the store
- How does one verify that an APK has not been tampered with?
- how to verify app version on play store programmatically?
- how to determine an application version from own application
- compare running app-version with the market app-version
- How to make sure an Android app was really compiled from said source code?
- Detect if App is Production/Release Version from Code