[aroman]

It the source were available, I could compile it into a binary myself and calculate a file checksum and compare it against the binary downloaded from the App Store. Obviously not the case here, but i don't think you'd need to "performs the steps above" to verify.

[scrollaway]

And you would almost certainly not get the same checksum unless they provided you with the exact toolchain they used (which almost nobody does) due to compiler version mismatches or some such.

[mahouse]

Even if you used exactly the same toolchain you would not get the same checksum because the binaries will probably have some other information embedded, such as timestamps.

[tlrobinson]

"deterministic builds" is actually a pretty hard problem with most existing compiler infrastructure. Bitcoin and Tor use a system called Gitian: https://gitian.org/

[s3arch]

Having a source code might help you in skipping the first step(decompile and disassemble), but you have to perform step 2 and 3 to analyse the behaviour of the program.

You might have to perform step 1 , if the source code had compiled third party libraries, which might contain hidden routines to perform malicious operations (such as decryption).

[wglb]

So what would be the next step be when (not if) they don't match?