"Who signed this file" links to some API endpoint gobbledygook. What's worse: clicking on it leads to a page that says "certificate expired."

"Just trust us" can't be the solution when 100% of smartphone cybersecurity advice for normies is "For the love of God, DON'T INSTALL APPS from unknown sources."