Not that I suspect maliciousness in the case of digipaws or OP, but does the app's code being open-source actually guarantee any security? Is there anything forcing the app I download to be consistent with the repo on Github?
Not that I suspect maliciousness in the case of digipaws or OP, but does the app's code being open-source actually guarantee any security? Is there anything forcing the app I download to be consistent with the repo on Github?
The readme clearly directs the reader to the F-Droid package, which are built on their buildservers and signed with their APK keys. This does not answer the security question directly, but it's the same model as say Debian repos. There are eyeballs on it by an independent third party packagers who use code scanners and manual review to detect malfeasance, and often have to tweak builds and code to get rid of unwanted things present in some upstreams.
Even better: if the build is reproducable, it guarantees that the source code of the repo is the same as the version that is distributed by FDroid.
It doesn't guarantee any security, but it is necessary for you to be able to to be able to have confidence in the security in a reasonable time frame. And if you need a guarantee that the source matches the binary, then you can build it yourself.
Not really. I guess to be 100% sure you need to build the app yourself. I don’t think that publish attestation exists on play store. Probably would need to openly build & upload the app via a CI runner, print all hashes inside that runner and then the playstore also needs to display those hashes before you download - but that doesnt exist for play store downloads yet.