: Can I host my PHP app in such a way that users can verify the source code being used by the server? I have worked with one other person created a mobile-optimized web proxy to the League
I have worked with one other person created a mobile-optimized web proxy to the League of Legends Tribunal (a peer review system). Riot Games, the creators of LoL, made a really nice web interface that happens to work very poorly on mobile browsers, so I set out to fix it myself. Due to constraints of the "API" available to us, (basic reverse engineering of the REST traffic in the original) our app unfortunately requires users to enter their username and password in order to use it. Having users share their passwords with third-party apps is unquestionably bad practice, but that's not a solvable problem at the moment.
As a first step to mitigate the problem, we have open-sourced our app on Github for those that have the know-how to host it for themselves after verifying the code is safe. However, there are plenty of people that could benefit from our app that can't be expected to host their own trusted version of the app.
This brings me to my question: Is there a way that I can host this app in a way that someone could verify that it uses the same trustworthy code found on our Github repo?
I'm not concerned with building a solution that would automatically compare it to the latest code on Github or anything. Simply allowing them to browse the code being used would be enough, but I can't think of a way that would be trustworthy and could be spoofed by a crafty mind.
Any ideas?
More posts by @Angie530
1 Comments
Sorted by latest first Latest Oldest Best
There is no form of challenge that your app could anticipate and respond to that would not also be falsifiable (the closest approximation would be to give your app's users filesystem access on your server to view source and review checksums).
Additionally, if your app stores, sends, or receives sensitive data, the app itself is not the only potential culprit if data leaks as it may be possible to read users' data by sniffing network traffic or by dumping memory.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.