[jgtor]

With reproducible builds like Signal does you can be sure the app you've downloaded matches the source code that's been audited:

https://github.com/signalapp/Signal-Android/blob/main/reprod...

[lrvick]

While I agree reproducible builds are a huge part of the answer, if you get your builds from Google Play or the App Store you have no idea if anyone has reproduced the particular build that was served to your device.

A solution to this would be independent reproducible builds like F-Droid does, but Moxie rejected this citing it would cause them to lose control of the platform and install metrics Google and Apple provide. Always thought that was a weird position for a privacy tool.

[Melatonic]

Personally I would be more concerned about a vulnerability or backdoor in Intel SGX

[Moldoteck]

there's no guarantee, but if the build is mass served - it's at least possible to find out. For closed source apps you may even not know

[dingaling]

Do you check?

[charcircuit]

So what? The centralized owner owns the code repo too, so such a restriction doesn't stop anything.

Even if Instagram was open source, Meta could remove the E2E chat feature.

[lrvick]

If it was open source people could fork.

[charcircuit]

But a fork wouldn't be installed on billions of people's devices.

[lrvick]

Any community that cares could then at least make the right choice of client for their community. The masses never care, but what matters is that privacy is actually a choice.