Comment by Wicher
2 hours ago
This is kind of already the case on Android.
If you've installed RealActualBankApp (with the ID of real.actual.bank.app) once (from whatever source!) then there cannot be another app installed with that same id but signed with a different public key (oversimplified version of the story, there is a key rollover scheme).
You can however install an imposter app that's also called RealActualBankApp, with the same icon. It'll need to go by a different ID.
So then we're down to the same problem, or pseudo-problem, of identity confusion, as we have for banking website URLs. Where is the ID/URL shown, and does the user know that it should be mybank.com and not mybank-incorporated.com ?
Android Key Attestations are bound to the app that minted the key, so this does prevent a fully-functional clone from working if they use attestation during auth. But it doesn't prevent a fake app that only exists to phish credentials.