How to be sure that an app on a store is running the open source code?

Question

Let's say for example Bitwarden: How do I know, the app I am installing from the App Store, is running the code that is Open Source and not something else?

Someone · Accepted Answer

You can&rsquo;t even tell that with 100.000% confidence of code you write by hand using &lsquo;echo&rsquo; and run locally.In the end you have to trust your OS. If you write that yourself, you have to trust the CPU. If you build that yourself using discrete components, you have to trust that nobody sneaked a CPU into what you think is a simple NAND gate, or into a wire you used (https://developer.arm.com/ip-products/processors/cortex-m/co... tells me a 32-bit ARM CPU can be 0.008 mm&sup2; and use 5.3 &mu;W/MHz. An attacker probably would need some extras such as memory, but _if_ you happen to be worth it to an attacker with huge resources, these things could end up in surprising places, so you would have to get out your microscope, and look at every single component in detail)With iOS, the &lsquo;only&rsquo; addition is that you have to trust Apple, too. It could change the binary, put code in iOS to change what&rsquo;s running, etc.If you are concerned about that, don&rsquo;t use iOS.

Jaxkr · Answer

With the tools available on an iPhone, you can&rsquo;t! This is a big deal and an important question!The Reproducible Builds project https://reproducible-builds.org/ exists to solve this problem.

2rsf · Answer

Something similar from Israel [1], the official Corona tracking app was supposed to be based on Open Source.
They decompiled the APK, and moved on from there. Note that the code itself is not everything, there are configuration files, databases and some data that comes with the app
[1] https://cybercyber.co.il/?p=151 (use Google translate from Hebrew)

hboon · Answer

Telegram has this https://core.telegram.org/reproducible-builds