0

I have an open source iOS project with public sources on github. I have published the app on the App Store using my developer account.

Is there a way for me to prove to the user that the published app in fact has been compiled from the sources on github?

EDIT

To clarify: I am in search for a mathematical (or cryptographic, if you like) proof that the app binary originates in a publicly available source code, rather than a sort of disclaimer. A disclaimer can claim anything but does not prove anything.

E.g. by code signing the app package I prove to apple that the creator of the app and the developer registered with apple are one and the same person. My question is whether there exists a similar mechanism to prove to the user that the origin of the binary and the public source are identical.

ilmiacs
  • 2,566
  • 15
  • 20
  • Why would you need to 'prove' something to your users? – Neeku Jun 25 '14 at 15:07
  • 1
    @Neeku I could cheat the user by claiming that I have compiled from the github repo, but instead include malicious code, e.g. to steal some confidential information the user enters in the app. So I do not technically need to prove it. Rather I **want** to prove it, so they need not trust in me. – ilmiacs Jun 25 '14 at 15:14
  • Ah! Ok! Wasn't thinking of it that way. In that case, you should make an acknowledgement/agreement or so like in your app's info page, or like an annoying pop-up at the app start, or even in the splash screen (`Default@2x.png`). – Neeku Jun 25 '14 at 15:18
  • @Neeku Yes, I could. But what would that prove? – ilmiacs Jun 25 '14 at 15:19
  • I don't know! That's what you want to do; to prove you haven't coded it yourself. **"Disclaimer: This app is developed based on "THE_ABC_PROJECT" and the owner of this app does not take any responsibility for any failure, etc.etc."** – Neeku Jun 25 '14 at 15:22
  • @Neeku Sorry, maybe I was not clear enough. I have edited my question to clarify. – ilmiacs Jun 25 '14 at 15:37
  • Hmmm... I knida get you now, but would have even understood it better if you could narrow it down to what sort of app this is or something, to depict it better. However I'll think about it and see if anything comes to my mind. Have never thought about this before. – Neeku Jun 25 '14 at 20:48
  • @Neeku An example where this would be relevant is the [bread wallet app](https://github.com/voisine/breadwallet) which, if compromised, could lead to direct financial loss. But I can think of a lot of other scenarios, too. – ilmiacs Jun 27 '14 at 13:40
  • Yeah. Actually the first thing that came to my mind was another wallet app, what I remember with that app is that they had encrypted everything and had avoided using any sort of other APIs like Flurry and so on. However they had developed their app themselves as far as I know, or just had secured everything. Have you yourself come up with a solution so far? – Neeku Jun 27 '14 at 14:02
  • @Neeku No, I have no solution. But nevertheless provided an answer to my question. See below. – ilmiacs Jun 27 '14 at 14:40

3 Answers3

2

I think I've stumbled upon a hard problem. It is much more general than iOS. It is hard to prove that the origin of a certain binary is a given source code at least because the binary you'll get depends on so many details:

  • compiler version
  • os patches
  • compiler flags
  • exact library versions and their compiler settings
  • values of environment variables at compile time etc.

The proof would need to take all that into account somehow.

Maybe the developer could make a video of how he pulls the repo, then compiles, then calculates a hash sum of the binary. then he could publish that video. But again, the video could have been tampered with. Or the compiler could be compromised.

So apparently we have to trust the developer. This "trust in the developer" attitude seems to be the norm. With security critical open source projects the developer would sign the binary. After downloading the binary I would verify the signature before running the code. In the case of an iOS App, the App Store takes care of all that. As a developer I have to code sign the binary. Apple would verify that signature before putting the app into the app store.

As a result, if you put an App in the App Store, I know that Apple knows who you are. So it is easier for me to trust in you.

TL;DR : A proof would be hard, but you can make it easier to trust.

ilmiacs
  • 2,566
  • 15
  • 20
1

For iOS there are additional complications. Part of submitting your app is codesigning it, and the codesigning process involves changing the Mach-O header, the load commands, and the LINKEDIT segment. You could probably increase trust (but still not prove) by submitting the code-hashes in the code-signed code-directory structure; BUT the app in AppStore is re-signed by Apple and thus some of the code-hashes will have changed no matter what you do.

clausc
  • 166
  • 6
  • Very interesting. Do you have some useful links to documentation on what the code-directory structure is and how code signing works? – ilmiacs Jun 30 '14 at 13:47
  • For a general overview: https://developer.apple.com/library/mac/documentation/DeveloperTools/Conceptual/MachORuntime/Reference/reference.html You also want to check the source code in machine.h and loader.h; both available from http://www.opensource.apple.com – clausc Jun 30 '14 at 15:31
0

One way to do that is by showing the information in iOS settings bundle. I've seen couple of application implementing iOS settings bundle and showing acknowledgements/attributions over there. Other way would be showing that info inside your itself but I wouldn't recommend that.

Ajith Renjala
  • 4,934
  • 5
  • 34
  • 42
  • I could just show about any information via the settings bundle or in app. How is that supposed to prove anything? – ilmiacs Jun 25 '14 at 15:06