Allowing user to verify, and therefore trust, Android builds from Play store


the_new_mr

New member
Jul 9, 2020
3
1
Hi all,

First post here!

I just created my SQRL identity. Loving it so far.

I remember when perusing these forums some months ago when I first learnt about SQRL that I saw something about users needing to trust someone in order to to use the Android SQRL client as the Android signing key cannot be provided to people even if they can examine the source code. The question remained: How does one know that the app in the store is built from the same code as in the GitHub repo?

Today, I came across this mechanism for the Signal Android app: Reproducible builds.

When following the above steps, you might run into an issue with 404s if creating own Docker image. To resolve this, you will want to try the code change suggested by oittaa here:
https://community.signalusers.org/t/compiling-reproducibly-android-build/10122/5 where he links to a PR he created for this.

I'd say there's a fair bit of work in getting this in place for the SQRL Android app. But it would be pretty awesome to get it in.
 
  • Like
Reactions: Sithmagic

PHolder

Well-known member
May 19, 2018
1,207
202
Anyone can create a client, and you're free to choose whichever client you like. You could of course download the source code, build it, and side load it yourself... then you would know what went into that specific build.
 

the_new_mr

New member
Jul 9, 2020
3
1
Anyone can create a client, and you're free to choose whichever client you like. You could of course download the source code, build it, and side load it yourself... then you would know what went into that specific build.
That's all true. But who would do that? And, more importantly, who can? If you have a way to demonstrate that the code used for the play store app is the same code as that in the repo then that enhances the reputation of the play store app. As lots of people and sites state you can do this and stating that they have, in fact, done it, trust no doubt increases. I can't see it as an issue.

The reproducible build system is a further enhancement to increase trust. I suggested it here as a recommendation.
 

PHolder

Well-known member
May 19, 2018
1,207
202
The point would be why does it matter for one client of many on one platform of many. It's not bad, but probably pointless. Either trust the author or don't... same as you would for any other download you would choose to install.
 

Dave

Well-known member
May 19, 2018
484
99
Gardner, MA
The point would be why does it matter for one client of many on one platform of many. It's not bad, but probably pointless. Either trust the author or don't... same as you would for any other download you would choose to install.
Although it is certainly understandable that one might wish for a higher degree of confidence in the pedigree of the app that holds the keys to the kingdom.

Conversely, aren't LastPass and OnePass available as apps in the store just like SQRL?
 

the_new_mr

New member
Jul 9, 2020
3
1
The point would be why does it matter for one client of many on one platform of many. It's not bad, but probably pointless. Either trust the author or don't... same as you would for any other download you would choose to install.
Well, first of all, trust no one ;) If we can enhance a user's trust in a system, why not? If one is going to use a system with it's online identity, one would feel better if one didn't need to trust an individual.

Although it is certainly understandable that one might wish for a higher degree of confidence in the pedigree of the app that holds the keys to the kingdom.
Exactly!

Conversely, aren't LastPass and OnePass available as apps in the store just like SQRL?
Yes. And they're not open-source as far as I know. Which is one reason I don't trust them. I think it's possible to examine the client-code for LastPass as it's just JavaScript that runs on the client. So that code at least is essentially open-source.