I was just about to post about this. Thanks for beating me to it, Manoj! (As with my previous article, I ran it by the /e/ devs first, for corrections).
I want to mention a couple of things that are not in the article (yet):
-
The domain name for each PWA is shown as the “package name” field at the bottom of the app details page. So users can check that their Telegram PWA isn’t coming from
hax0r.org. It’s easy to miss, though; I think PWA URLs ought to be displayed prominently. -
Untested hypothesis: even though CleanAPK no longer sits between the user and Google Play, it may be able to block updates to Google Play apps. This is because if an application is included in both CleanAPK’s and Google Play’s API responses, only the CleanAPK result is displayed to the user. CleanAPK could present a past version of a specific Google Play app to specific users in order to keep them from updating. I have not checked this; I suppose the updater logic could be different from the what-the-user-is-shown logic, so App Lounge might grab the update from Google Play anyway. /e/ devs may want to check this, at least if their plan to cut out CleanAPK completely is not close to being achieved.
Lastly, I highly recommend checking out https://accrescent.app/ - a new app store with great security features that /e/ devs may be able to take a few ideas from.