Hey #Google, cool you're adding a bit of #BinaryTransparency. Unfortunately, it doesn't mean much without #FreeSoftware #OpenSource and #ReproducibleBuilds. When can we expect you to adopt those practices?

https://blog.google/security/bringing-binary-transparency-to-the-android-ecosystem/

For the record #FDroid has offered binary transparency since 2017 https://gitlab.com/fdroid/fdroidserver/-/merge_requests/226

And we even offer binary transparency for your #Gradle and #AndroidSDK binaries
https://f-droid.org/2021/02/05/apis-for-all-the-things.html#binary-transparency-logs

How about expanding your logging to all your binaries?

Google Bolsters Android App Security with Public Verification Ledger

Google is stepping up its game to keep your Android apps safe with a new public verification ledger that ensures the Google apps on your device are genuine and exactly as intended. This move builds on its Pixel Binary Transparency feature, now expanding it to all Android production apps.

https://osintsights.com/google-bolsters-android-app-security-with-public-verification-ledger?utm_source=mastodon&utm_medium=social

#AndroidAppSecurity #PixelBinaryTransparency #BinaryTransparency #Google #SupplyChain

#WhatsApp implementing #KeyTransparency is pretty nice, and definitely an excellent step in the right direction against shadow accounts and the service provider trust problem. However, without the client being #OpenSource, it is not that meaningful. Yes, of course somebody could implement an independent monitor for the transparency log to check keys registered for an identity, but what percentage of the user base will actually do that when the only realistic way to use the service is to rely on the #proprietary client, which can still be used to maliciously target (groups of) users to break #E2EE?

Secure messenger clients should both use identity security protections like #KeyTransparency and have a *default* implementation that is #OpenSource and, ideally, be distributed with #BinaryTransparency and verified through #ReproducibleBuilds. Oh, and allow other identifiers than just phone numbers (still looking at you, @signalapp - which is otherwise ticking a lot of the right checkboxes).