That’s a bad advice you don’t know how they are updating it. If it is added in the repo then package manager will check the signing key but if it is an in app update then that may not be verifying the new package and if someone is doing MITM they can switch it up
Yeah I guess so. Due to SSL if you want to perform successful MITM you’ll need to have control of DNS and must have rootCA which you control installed on there system/browser. And if it is a supply chain attack where source it self corrupted then there is no hope.
The important is to do it the first time. Then just upgrade the app.
That’s a bad advice you don’t know how they are updating it. If it is added in the repo then package manager will check the signing key but if it is an in app update then that may not be verifying the new package and if someone is doing MITM they can switch it up
I don’t think it’s bad advice for most people. Maybe it’s just bad advice for your treat model
Yeah I guess so. Due to SSL if you want to perform successful MITM you’ll need to have control of DNS and must have rootCA which you control installed on there system/browser. And if it is a supply chain attack where source it self corrupted then there is no hope.