I agree there's a problem here, but the verification problem exists for every app on your iPhone that isn't released by Apple.
Maybe I'm just clueless, but what solution could exist to verify that the code running on your phone doesn't differ from a given codebase (that also can't be faked)?
We can build Brave for any platform, which happens to have a wallet, but there's still no way of knowing whether what I built matches what's on the apple store. At least on Android there's F-Droid, which builds and releases from the source. Seems like that's as close as we can get to user-friendly and verifiable right now.
My solution is Safe[0] with multiple signers (different software/hardware for each one). Probably overkill, but when you are your own bank...
One more thing you can do is audit the source code of open source projects you use, and build them yourself where possible.
For example, Metamask is source-available and you can add it to your browser from the git repo rather than the chrome extension store.
You can also add it from the chrome extension store and inspect the source to ensure all files match the build, before adding any private key material to it.
I was arguing in a comment recently[1] that browser extensions should be required to be source-available, and the chrome store should take a role in verifying the bundle matches the build process defined with the source code.
It's alarming to me that this is not already the state of things, but as it is it perverts incentives for extension developers to a horrific degree.
Maybe I'm just clueless, but what solution could exist to verify that the code running on your phone doesn't differ from a given codebase (that also can't be faked)?
We can build Brave for any platform, which happens to have a wallet, but there's still no way of knowing whether what I built matches what's on the apple store. At least on Android there's F-Droid, which builds and releases from the source. Seems like that's as close as we can get to user-friendly and verifiable right now.
My solution is Safe[0] with multiple signers (different software/hardware for each one). Probably overkill, but when you are your own bank...
[0] https://github.com/safe-global