Comment by Zak
6 hours ago
Open source helps, but if you didn't build it yourself, you'll need to trust whoever did. F-Droid reproducible builds help in that you only need to trust either F-Droid or the developer, not both.
The browser tends to be safer because it has a stronger sandbox than native apps on a mobile OS. It's meant to be able to run potentially malicious code with a very limited blast radius.
> Open source helps, but if you didn't build it yourself, you'll need to trust whoever did.
You need to audit the code. If you are not capable of doing that, you need to trust someone to do it.
Also even obfuscated JS code is easier to understand than machine code, if you're trying to tell what some non-open-source thing is doing