[nobbyclark]

How do you know that the app published on the App Store is the same one you have the source code for? Can't I can just give you some source code then release something else entirely?

[gcb4]

compile yourself.

or download from a source you trust and compare hash from another trustworthy source. just like anything you download. unless you run gentoo, but then how do you trust your sources, etc

and if you have a closed source phone os that only allows to install from their store... well you have to learn to crawl before you walk.

[imaginenore]

The way it's usually done is you publish your

A) exact compilation settings

B) hash checksums for everything, including the resulting binaries

You probably can't do this on iOS, but on Android you can have a third party app monitoring the changes, or simply disabling the automatic updates altogether.

[lifeisstillgood]

I could compile the source for iPhone (well someone could I have no idea. Probably some SDK). Then compare hashes.

[khc]

Actually you cannot. Rebuilding from the same source almost never yield identical binaries.

[gioi]

Actually you could. They are called "deterministic builds".

But this would require some kind of effort from project maintainers.

[Cederfjard]

I'm quite unknowledgeable about this, but from what little I understand: That is actually a very major effort in many cases, isn't it?

[gtufano]

You cannot do that for iOS binaries, because they are signed by Apple before publishing on the Store (and so the hash will change).

[onedognight]

You can avoid the signature when hashing.