[tdons]

I imagine it's non-trivial. I think it would involve (in case of iOS):

1. downloading the binary

2. jailbreaking the phone to extract the binary (pretty sure this is necessary on iOS)

3. check the version of the binary, then compile the original sources of the version

4. ??? compare the two binaries, this is likely the most difficult part, they won't be identical because of things like codesigning (and build flags, timestamps, ...)

I know noone that does this.

[evgen]

You don't compare builds because you probably don't actually have sources. What you do is use a special iPhone (a Security Research Device) that Apple grants some researchers or you use an emulator like the one from Corellium (to whom Apple recently lost a lawsuit over this emulator) to probe and step through the code. Find the key sections that do the real crypto work and make sure that they do what they are supposed to do and that they are getting the correct inputs.

There is a large group of people who do this sort of research, and some fraction of them do this research and actually talk about it or publish papers. If you could find a deliberate weakness in the security of an app like what we are talking about (or WhatsApp or iMessages) then you have just printed your own golden ticket to whatever mobile cybersecurity job you want for the next decade or two, so there is a bit of an incentive to publish if something like this was discovered...

[aidenn0]

> You don't compare builds because you probably don't actually have sources

https://github.com/signalapp/Signal-iOS