kbsso at some stage (I think, esp for mobile-apps) they have to verify their app-identity reliably - fwiw, android has gone down the route of using their pubkey signatures as providing this proof. It happens to be implicit on android, simply because the platform was set up this way...
