pull down to refresh

30 sats \ 5 replies \ @ek OP 20h \ on: Reverse Engineer OPA? security
I also think this is wrong:
you cannot verify the code of an app even if you had access to the repo
ā€” #897466
Reproducible builds fix this. You can't verify the code that runs on a server but afaik, you can verify if the app you downloaded is what you would get if you build it yourself from the source code.
write
preview
41 sats \ 2 replies \ @optimism 18h
Reproducible builds fix this
This. It just requires a massive build environment setup and a ton of work. Probably not worth it. But it can be done where it makes sense.
Does it in this case though? I'm not convinced.
reply
100 sats \ 1 reply \ @ek OP 14h
It just requires a massive build environment setup and a ton of work
it's just an app that talks to a server
reply
0 sats \ 0 replies \ @optimism 4h
Yeah. Meaning the interesting thing from a privacy perspective that you'd hunt for in the source code is:
  1. What data does it collect?
  2. What data does it throw over the wire?
When I edit apks (always do) the main effort is replacing data collection stuff with stubs and removing callbacks to googly goog, bugsnag or other data brokers.
reply
34 sats \ 1 reply \ @SimpleStacker 19h
I wonder if ideas from zero knowledge proofs can be used to verify what code a server is running without having to reveal the entire source code of the server. I'm talking way out of my league here, but it was just a thought.
reply
0 sats \ 0 replies \ @optimism 18h
I'm sure you can express anything in lattices but do you really want to do this if you can just use nostr and extend that with an interactive ZK protocol? Lotta years of frustrating work vs just half a year of work.
reply