@jak2k that's correct: all from their official distributions, signed by their own keys, and several additional checks applied on top to make sure they're as safe as possible: signing keys pinned, library checks, manifest checks, signing block checks, and much more; see e.g. https://android.izzysoft.de/articles/named/iod-scan-apkchecks?lang=en @GrapheneOS