Comment by rixed

> which is widely promoted as being good security practice

Maybe that's the mistake right there?

It is a good practice only as long as you can trust the remote source for apps. Illustration: it is a good security practice for a Debian distro, not so much for a closed source phone app store.