Yes, although MD5 and SHA-1 both have issues with hash collisions, being
replaced by SHA-2 and SHA-3.

Being that these hash algorithms were written by a known adversary, the
NSA, one attack vector would be for an adversary to replace the binary
published on the Google Play store with a rebuilt binary with the same hash
but a vulnerability that makes it easier to break end to end encrypted
messages. Finding two simultaneous hash collisions (MD5 and SHA-1) seems
extremely difficult, though not impossible by the author of the algorithms
who may have thought of this and built in hash correlation.

A way to verify against this scenario is to compare PGP signatures of the
binary to make sure it wasn't modified in transit. This still assumes you
trust their published public PGP key and the PGP algorithm (it's the best
we've got that is commonly used).

That said, an easier attack vector is to build in a security hole into the
hardware or Android, so it's probably not worth worrying about double hash
collision.

On Dec 24, 2016 11:15, "Shankar Kulumani" <***@gmail.com> wrote:

They have provided functions to ensure reproducible builds for Android, not
sure if the same exists for iOS.

https://whispersystems.org/blog/reproducible-android/

You can look into the properties of the hash functions. It's generally not
possible to have two inputs with the same hash outputs.