Fascinated by the idea of sharing Android apps offline, and specifically during internet blackouts that are an unfortunate reality around the world.
The ability to send and receive "an APK", no matter how much the sender is trusted, opens a dangerous attack vector – especially with open source software. An adversary, by means of basic social engineering, has now an untethered distribution channel to spread a malicious fork with zero verification.
Zapstore, however, has been designed from the ground up for adversarial contexts. We are able to send not only Android artifacts, but Nostr events that verify it and set up a basic web of trust check completely offline.
Won't be implemented right away, but here is the draft spec to kick it off:
https://github.com/zapstore/zapstore/issues/259#issue-3795860706
The ability to send and receive "an APK", no matter how much the sender is trusted, opens a dangerous attack vector – especially with open source software. An adversary, by means of basic social engineering, has now an untethered distribution channel to spread a malicious fork with zero verification.
Zapstore, however, has been designed from the ground up for adversarial contexts. We are able to send not only Android artifacts, but Nostr events that verify it and set up a basic web of trust check completely offline.
Won't be implemented right away, but here is the draft spec to kick it off:
https://github.com/zapstore/zapstore/issues/259#issue-3795860706