Comment by orangepurple
2 years ago
You can reproduce the builds yourself but you have no control over what happens to the app APK once it is uploaded to Google then distributed via the Play Store. I suppose you could checksum the APK before and after and make sure your app is exactly the same before and after sending it to Google to distribute via the Play Store. Google doesn't have much motivation TODAY to mess with APKs directly since they have Google Play Services which is essentially a rootkit running on your phone all the time and it is easily accessible by the NSA through Google's infrastructure, probably by a secret FISA warrant with a gag order. Maybe they don't need a warrant. Think we would ever find out?
I think I am still missing what you are referring to. The guide on Threema's site promts you to extract the APK from your phone via adb which you then `diff -r` with the locally compiled version. [1] As far as I am aware it does not matter whether Google or Threema modified the APK before uploading it to the Play Store since you would notice either way.
[1]https://threema.ch/en/open-source/reproducible-builds
That works as long as you always check after each update.
I agree with you. That's the case with every software project.