undefined | Better HN

0 pointsionspin3y ago0 comments

In a perfect scenario you would be able to use a reproducible build [0], for Android you can actually get Bitwarden from F-Droid [1] which uses those reproducible builds.

For Google play store, there was also that developers needed to sign their apps before releasing to stores, so you knew that it came from developer, but Google removed that when they introduced app bundles. There is still a way to verify if the build is the same as developer provided, but automatic protections that were there are now gone [2]

[0] https://en.wikipedia.org/wiki/Reproducible_builds [1] https://mobileapp.bitwarden.com/fdroid/ [2] https://arstechnica.com/gadgets/2021/07/google-play-dumps-ap...

0 comments

mook3y ago

Looking at that, it doesn't seem like you can actually get Bitwarden from F-Droid? That looks like instructions to set up a third-party repository (hosted by Bitwarden)?

The page didn't mention anything about reproducible builds. (Doesn't mean they aren't using it though, but that would be internal.)

ionspinOP3y ago

You are completely right, this is hosted by Bitwarden so in the end you would be better of building from source yourself.

j / k navigate · click thread line to collapse