Izzy1d ago

You often see us reporting our RB status, and might wonder what's so important about #ReproducibleBuilds – want a recent example? Take a look at https://web.archive.org/web/20260402133949/https://github.com/Nekogram/Nekogram/issues/336 – and the POC at https://github.com/RomashkaTea/nekogram-proof-of-logging

In short: Release APK was built from different code, including a logger to catch all phone numbers contacted. Oh, and the dev thinks that's fine (https://t.me/NekoUpdates/531).

RB would have failed for that app, and shown the diff.

Stay safe out there!

(1/2)

[Spyware, Malicious code] Malicious Code Injection and User Data Leaking in Release Binaries · Issue #336 · Nekogram/Nekogram

Steps to reproduce Install and login to your telegram account Now your phone number belongs to Xi Jinping... jk. to Nekogram creator Expected behaviour Not leaking phone numbers Actual behaviour Ma...

GitHub
Show threadIzzy

(2/2) Probably a good time to tell you about a new security feature in #NeoStore: there you can now configure to only accept updates to RB apps, if the updates were also confirmed to be reproducible. That might delay your updates by a few hours (until the proof arrives) – but helps you stay safer.

Of course you can always decide to "force" an update manually. And non-RB apps are not affected. Nothing is forced upon you – the choice is yours. We just provide the means 😉

Apr 2 at 8:47pmWeb