Yeah. Meaning the interesting thing from a privacy perspective that you'd hunt for in the source code is:

1. What data does it collect?
2. What data does it throw over the wire?

When I edit apks (always do) the main effort is replacing data collection stuff with stubs and removing callbacks to googly goog, bugsnag or other data brokers.

> It just requires a massive build environment setup and a ton of work

it's just an app that talks to a server

security

Reverse Engineer OPA?

> Reproducible builds fix this

This. It just requires a massive build environment setup and a ton of work. Probably not worth it. But it can be done where it makes sense.

Does it in this case though? I'm not convinced.