One question I always have with secure systems distributed by app stores, even the open source ones, is how to you verify the source you're reading is the app you're using?
Google Play Store requires the developer to sign the program with their private key, and only the developer can provide future versions of the program. Moxie from whisper systems seems to trust this system (decentralized signing of binaries) more than the f-droid one (centralized signing of binaries).
If I understand correctly, the iPhone only cares that the chain of trust for an app key is validated up to their CA.
In other words, if the bad guys with guns coerce Apple to mint them a cert, they could simply replace your known good binary with a crocked one signed with the new key, and your phone will happily run it. Getting that binary onto your phone is an exercise left to the reader, but there are many means, legal and otherwise, that could be employed to make that happen.
If your privacy means your life is on the line, you probably shouldn't be running stock Android or iOS. (And depending on how you feel about basebands, any modern smartphone, period.)
The greatest material curse to the profession, despite all its advantages, is undoubtably the telephone. It is a constant source of temptation to slackness. And even if you do not use it carelessly yourself, the other fellow, very often will, so in any case, warn him. Always act on the principle that every conversation is listened to, that a call may always give the enemy a line. Naturally, always unplug during confidential conversations. Even better is it to have no phone in your room, or else have it in a box or cupboard.
That's talking about the plane old telephone in the 1960s.
The message I get from it? If your life is on the line, consider not using any electronic communication at all.
I guess there's no way but if it's open source, like this one, you can recompile it. The iOS version seems to use CocoaPods for the dependencies so it should be easy to compile the project.
Even that isn't strictly guaranteed to work; have you read ken's Reflections on Trusting Trust? Strictly speaking, you'd need to hand-compile (or at least hand-verify) the app, and trust the underlying platform as well (dalvik and/or the hardware).
Well, there are several ways to get read access to the iPhone's filesystem. You can grab the binary from the phone and verify that its the same as when you compile the app on your own machine.
So, I'm not intimately familiar with the code signing process, but I imagine that the bundle on the iPhone wouldn't match the one you would get by compiling the source on your machine.
The former would be signed with Whisper System's distribution certificate, which you couldn't do on your system because you don't have their certificate.
And now you are aware of the difficulties in producing reproducible/deterministic builds. This would be a good starting point for further reading: https://wiki.debian.org/ReproducibleBuilds/About
Is there no option in the store for developers to "sign" the apps in some way and for phones to detect when the app doesn't use the developer's signature?
If such a feature doesn't exist in the app stores, it should.
I think TheLoneWolfling was talking about Verizon or AT&T enabling this kind of "only trust this cert" with one of their own as an intermediary, effectively shutting out Apple and all the actual independent developers on that ecosystem in favor of "The AT&T App Store for your iPhone by AT&T" style closed gardens.
Ultimately, Apple holds the private key that signs every developer's certificate, and thus they have the capability of granting a certificate that is in every way compatible as another developer's certificate. There is no way to escape this scenario, that plagues SSL and TLS as well, without redesigning the asymmetrical certificate infrastructure from the ground up.
