Royce Williams on Nostr: If a government can issue a secret order to push a 'special' version of a mobile app ...

If a government can issue a secret order to push a 'special' version of a mobile app just to a specific person (or set of people), how can this be mitigated?<li><p>How can app "rarity" be detected locally? (Antivirus and its descendants have a concept of a "well-known benign executable" vs one that has only been rarely seen. </p></li><li><p>Can a local app, or an OS feature, be used to compare local apps with a list of expected versions?</p></li><li><p>Can this be done <em>independently</em> of the OS (since the order could also subvert the rarity check)? (Even an independent app can be subverted if the only app store is the official one maintained by the same vendor.)</p></li><li><p>To detect unusual app versions, reproducible builds are necessary but not sufficient, unless the project is also FOSS -- because even if everyone gets the same APK, the app might receive different instructions from its server depending on unique metadata.</p></li>