Android's package manager verifies app signatures and uses versionCode to provide downgrade protection. The signing key for each installed app is pinned and can only be changed via an authorized rotation.
source.android.com/security/apksi
This enables having a decentralized trust model.
Conversation
Historically, Google's Play Store used a decentralized trust model of shipping apps signed by the developers.
In an OS with Google apps and services integrated, the Play Store is granted the ability to do background app installs / uninstalls but cannot bypass the signing checks.
1
10
Google has been moving away from this to an approach matching Apple. Developer keys will only be used to verify uploads of bundles used to generate packages signed by the app store.
Amazon and the official F-Droid repository also centralize trust, just without the optimizations.
6
1
12
Replying to
Are there any plans for GrapheneOS to provide its own F-Droid-like app store with improved security & decentralization?
1
Replying to
There are plans to provide a modern app install/update system for first party apps / components. It would be for our own projects including forks of existing apps. It wouldn't support arbitrary repositories and we won't be shipping third party apps through it.