4

A lot of Android apps are open source, but how can we make sure the person who finally uploads to the Google Market does not include some spyware just before uploading?

Background: Mobile apps security seems to be a growing concern, and I would like to reassure the users of my Open Source Android app. Solutions that require to modify the deployment process or application content are acceptable too.

2012 update: This is going in the right direction: http://f-droid.org/ They check the apps and compile them into APKs that they distribute. That being said, I would trust them more if they were Mozilla or Apache...

Nicolas Raoul
  • 58,567
  • 58
  • 222
  • 373

1 Answers1

1

Take a look at https://stackoverflow.com/questions/249106/how-can-you-give-users-confidence-that-your-application-has-no-malicious-intent for some related information.

You could of course take the source and build/compile it yourself and compare the resulting binary to the uploaded one, but this somehow defeats the purpose of binary distribution. And it still wouldn't help in cases where the source code does contain malicious code. Or maybe build a safe, i.e. trusted reference binary and then publish the checksum for comparison?

Apart from that, this problem really is not specific to open source software. In the end, it all boils down to trust.

Community
  • 1
  • 1
Greg S
  • 12,333
  • 2
  • 41
  • 48
  • 1
    There is some crypto going on when generating an APK, so I guess binary comparison does not work. How to create this "trusted reference binary"? The only solution I can imagine would be a big open source foundation having a system that has the APK packaging key, reads the source from a public source repository, and outputs a signed APK. I don't know any foundation doing this. – Nicolas Raoul Jun 24 '10 at 08:14
  • Have any of your users asked for something like this? because it seems like massive overkill unless your application is asking for some dodgy permissions for a legitimate reason. – stealthcopter Sep 09 '10 at 02:17
  • @stealthcopter: No user complained, and I would understand if they did. Software security is never overkill. On my computer I only install software compiled by myself or by a few trusted sources; no reason to be more indulgent for my phone. – Nicolas Raoul Feb 28 '11 at 06:41