Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

They control the update servers. So it's possible to target a single user with a single build that no one else ever sees. What percentage of users verify every release?


In theory, Binary Transparency (https://binary.transparency.dev/) solves that among other things. To pass verification, an update has to prove that it's included in a public log of releases.

But I guess Signal doesn't implement it?


It's distributed in the Play Store, so Google controls the update servers, no?

Edit: or Apple, whathaveyou




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: