Yeah. For web, I've been advocating for something like "Source Code Transparency" (somewhat analogous to Certificate Transparency) in the WebAppSec WG at the W3C. The idea would be that if you could verify that the source code you're getting is the same as what everyone else is getting for a given version of the web app (and has been published in an append-only log of sorts), it would be much more difficult for us to try to compromise any given user without detection.
On mobile, to do such an attack we'd have to collaborate with Apple or Google to do it, which IMHO seems infeasible - but nevertheless also there a "Binary Transparency" feature of sorts might be valuable.
> I've been advocating for something like "Source Code Transparency"
Thank you for moving the web forward. Proton mail does a lot of things well, and there's more to do. I was auditing DANE support and PM was one of the few I found with support.
On mobile, to do such an attack we'd have to collaborate with Apple or Google to do it, which IMHO seems infeasible - but nevertheless also there a "Binary Transparency" feature of sorts might be valuable.