A lot of Android apps are open source, but how can we make sure the person who finally uploads to the Google Market does not include some spyware just before uploading?
Background: Mobile apps security seems to be a growing concern, and I would like to reassure the users of my Open Source Android app. Solutions that require to modify the deployment process or application content are acceptable too.
2012 update: This is going in the right direction: http://f-droid.org/ They check the apps and compile them into APKs that they distribute. That being said, I would trust them more if they were Mozilla or Apache...
Take a look at https://stackoverflow.com/questions/249106/how-can-you-give-users-confidence-that-your-application-has-no-malicious-intent for some related information.
You could of course take the source and build/compile it yourself and compare the resulting binary to the uploaded one, but this somehow defeats the purpose of binary distribution. And it still wouldn't help in cases where the source code does contain malicious code. Or maybe build a safe, i.e. trusted reference binary and then publish the checksum for comparison?
Apart from that, this problem really is not specific to open source software. In the end, it all boils down to trust.