[lost_name]

Wouldn't this be true for any open source application you don't compile from the source?

[starquake]

There's something called deterministic compilation: https://en.wikipedia.org/wiki/Deterministic_compilation

Debian is trying to get reproducible builds for their packages.

I don't know enough about iOS to say anything about that.

[ryanlol]

How does that help if you aren't compiling?

[jjnoakes]

Because someone you trust can compile and verify that the source they audited matches the binary you got from the app store.

[ryanlol]

So how do you do this in practice? Do you just send some guy (that you trust!) hashes of all the files on your system and hope that he spots the backdoored binary soon enough?

Perhaps there's some false assumption there that the "app store" will serve everyone a backdoored binary, instead of performing almost undetectable targeted attacks.