Hacker Neue

Preferences
bee_rider parent
You would? How?
pitched
The only proof we have of privacy is a claim made by an internet account. With source code, auditing that claim is a lot easier. “Trust but verify.”
bee_rider OP
I agree that it isn’t as easily verifiable that it is privacy-respecting without the source code but that’s a couple steps from saying that it is “a falsehood” to say it is.

What made me wonder about it is that this is very specific wording that indicates that they proactively know the author is lying, when it would be very easy to instead say something along the lines of what you said, that it is too hard to verify without access to the source code.

pitched
I agree that the language used wasn’t perfect, but… If a claim is not verifiable, it can only be taken on faith. Same as all the existing apps in the category that this one aims to replace. Is there a better word we can use to describe this sort of situation?
bee_rider OP
I can’t think of one specific word to swap out for “falsehood,” it would be better to just replace the whole phrase. Various things have been bounced around here in the discussion. I’d go with something like “without the source code, unfortunately that can’t be verified.” This is a better phrase all around. It describes the actual problem. And it isn’t unnecessarily accusatory.
GlumWoodpecker
Presumably because there is no way to verify the claim.
bee_rider OP
I think that isn’t it, because it would be easy to say something like “we can’t verify the claim that it is privacy respecting so we should assume otherwise.” Which is a totally reasonable position to take.

I think it is important to be specific, clear, and to have evidence if one wants to call somebody a liar, though.

Or maybe it is something else, it could be interesting if they have some other definition of “privacy respecting” that precludes closed source apps, for example. That is, to “respect privacy” could be understood to actually be to provide users with verifiable evidence that their private info isn’t compromised. I think this isn’t the conventional definition definition of privacy respecting but I’m definitely ready to be pulled on-side if anybody starts pushing it.

stormqueen
There are ways to check what data is send trough the network...
freedomben
Not really, not anymore. Many apps are now using certificate pinning to make it impossible for the user to to modify the trust store. This means that unless it is open source, it is very difficult for people to verify, even when they know very well what they are doing.
Technetium
There's always a way, even if it's a lot more painful now! https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-00...
zerr
But you can verify that the app does not use the network at all, right?
freedomben
Yes you could, although the bar is still a lot higher than if it's open source. You will have to fully re-test all possible paths in the app every time a new release is made if it's closed source. If it's open, you just need to look at the git log.

Plus if there is one legitimate network call, then this strategy is out since you can't know what that request contains. OP using in-app purchases, so I'm willing to be there's at least one network call in there.

If there is no network access permission at all, then I think we agree, that's a reasonable guarantee.

zerr
Interesting if in-app purchase is registered as the app network access vs Google Play services network access.

This item has no comments currently.

Keyboard Shortcuts

Story Lists

j
Next story
k
Previous story
Shift+j
Last story
Shift+k
First story
o Enter
Go to story URL
c
Go to comments
u
Go to author

Navigation

Shift+t
Go to top stories
Shift+n
Go to new stories
Shift+b
Go to best stories
Shift+a
Go to Ask HN
Shift+s
Go to Show HN

Miscellaneous

?
Show this modal