That’s a bad advice you don’t know how they are updating it. If it is added in the repo then package manager will check the signing key but if it is an in app update then that may not be verifying the new package and if someone is doing MITM they can switch it up
That’s a bad advice you don’t know how they are updating it. If it is added in the repo then package manager will check the signing key but if it is an in app update then that may not be verifying the new package and if someone is doing MITM they can switch it up
I don’t think it’s bad advice for most people. Maybe it’s just bad advice for your treat model