If a government can issue a secret order to push a 'special' version of a mobile app just to a specific person (or set of people), how can this be mitigated?

• How can app "rarity" be detected locally? (Antivirus and its descendants have a concept of a "well-known benign executable" vs one that has only been rarely seen.

• Can a local app, or an OS feature, be used to compare local apps with a list of expected versions?

• Can this be done independently of the OS (since the order could also subvert the rarity check)? (Even an independent app can be subverted if the only app store is the official one maintained by the same vendor.)

• To detect unusual app versions, reproducible builds are necessary but not sufficient, unless the project is also FOSS -- because even if everyone gets the same APK, the app might receive different instructions from its server depending on unique metadata.

@tychotithonus In the US, Apple in the San Bernadino case appeared to have successfully pushed back on the request that they “write new software” to allow access.
Seems like “different instructions from the server” would be a hard order to fight.

@marshray Ah, fair. Welll .. they might not be able to be forced, but they (or the app author) might be ... otherwise persuaded. Interesting.

@tychotithonus I think this dilemma is equivalent to the USGOV vs. Kaspersky case. After some point you have to trust your supply chain. If that's not reasonable, you cut ties.

(I know this is not an answer, but my gut tells me this isn't really a technical problem to solve)

@buherator Totally agreed. Just trying to push the observability costs down.

@tychotithonus To the ‘can it be done’, as I recall Google changed their policies so that Google Play Store apps must now be signed with a Google certificate and not the developer’s one. That means that they can build and sign a custom version without the developer’s knowledge,

This is precisely the problem that Package Transparency was meant to solve. When you publish a package, you add its hash to a public Merkel tree. People downloading can then see if this is the latest version (or, at least, one that you’ve published). If you get a different one to everyone else, that shows up.

@tychotithonus there are a couple of layers to this. Generally, you should be able to trust a signature of an APK, and you can validate that on and off device. If a new APK is pushed with the correct signature, you might have a very difficult time distinguishing that from a legitimate staged roll out of a new version. Different signature APK will not install on a non compromised OS.

For checking if something is rare, you can check the checksum of an APK installed on a device or off the device.

@Aurimas Indeed - though I'm also talking about how to surface this to more ordinary users ("you just got a 'special' version of Telegram'" etc)

@tychotithonus how do you distinguish telegram doing a staged rollout to check for crashes vs you having a malicious rare version?

@Aurimas That is indeed an excellent question.

@Aurimas @tychotithonus At least you don't have to deal with this in case of CrowdStrike :)