I'm not ignoring what you're saying. You're adding arbitrary restrictions, I asked "Can't you just use the binary you built?", No, apparently "It's not 1999, I can't build it, I need someone else to", "Why can't you use their binary?" "I don't trust them"...?!
Dude. *How* will you verify the official apk matches the hash that your auditor says they checked? Literally give me the command.
-
-
I will give you the command I think you need to use: sha256sum --check from_matthew.txt && adb install official.apk. Sound correct? THAT IS SIDELOADING.

-
And what does that have to do with a sensible approach to getting software that Matthew says they can trust onto the smart phones of a couple billion people, many who don't have any IT device but their phone?
- 11 more replies
New conversation -
-
-
Assuming Google is not replacing existing apks with maliciously modified ones, they give you a version/date/whatever stamp for the version they've audited (along w/device type) and you disable auto-update, ensure that's the version you're installing.
-
I fully accept that this is not a *good* flow for how you verify it. That's a[n intentional] flaw in Play Store. It should be offering you hashes you can validate against a trust list, manually or with system configuration of list of trusted app hashes (provided by auditor).
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.