Mullvad VPN got a solid review from me and an official “okie dokie” when I gave it a test drive earlier this year, and an honorary mention in my guide, The Best VPNs to Protect Your Online Security. It may only be for the Android app, but Mullvad making their VPN reproducible adds one more layer of transparency to an already trustworthy service.
what the heck is a reproducible build?
I won’t drone on about how a VPN (virtual private network) works. That’s covered in the Best VPNs guide. What I’ll drone on about instead is how hackers, snoops, data thieves, and other bad actors have gotten smarter in recent years.
Now, beyond chain letters and fake Nigerian royalty, they’re reaching out in the guise of trying to protect you from people like them, masquerading as privacy and security software. Impersonation of a legitimate app is an increasing danger, as is the risk of downloading a piece of security software (such as Mullvad VPN) from an unofficial source and not realizing that a jerk has bundled something nasty into it, like spyware.
Making the Mullvad VPN app (on Android only, as of yet) reproducible means that anyone can peer into its inner workings to verify that nobody has tampered with a copy of the software and released it onto an unsuspecting public.
“A build is reproducible if given the same source code, build environment and build instructions, any party can recreate bit-by-bit identical copies of all specified artifacts,” says ReproducibleBuilds.org, from which Mullvad borrows its definition.
As the Reproducible Builds website continues, “Artifacts would include executables, distribution packages or filesystem images. They would not usually include build logs or similar ancillary outputs.”
“For a build to be reproducible,” Mullvad continues, “the build output must not include any information that would vary depending on when it is built or on what machine it is built (such as timestamps or file paths).
“Reproducible builds provide a strong guarantee that the app you install hasn’t been tampered with. When builds produce bit-for-bit identical results, it provides assurance that
- No unintended modifications occurred during the build process.
- The published source code matches what’s actually distributed to users.”
As for availability, only Mullvad VPN’s Android app has been created in a reproducible way. Mullvad’s iOS, Windows, and macOS apps aren’t on the roadmap. Speaking to TechRadar, a Mullvad spokesperson said, “There is no reason we would not want to do it, just that it has not been prioritized/evaluated for the other platforms.”
So for Android users, this is yet one more example of the openness and transparency that any good security app would share with its would-be customer base.
The post Mullvad Adds a Way To Verify Your App on Android appeared first on VICE.
