There is a big jump from a website to a mobile and desktop wallets! When you open a website you have no idea what you are running and what you are sending to that website's servers and you have no way of knowing it. But with a desktop/mobile wallet you have a choice to download and install what is open source so you can verify that it is not doing something malicious.
Yes, I know the advantages of open source compare the other one. But how you can assure that the app you're going to install is the one or have
full copy of the code that is publicly available for viewing on github is the same? Since you're going to install the app from app store or play store?
Coz what I have in mind is, the developers or anyone can update the code (with malicious or not) of the app and then upload it on this mobile distribution services using their compromised accounts, without updating the code in github of course.
Is this possible? How it can be avoided without downloading the app fist just to try it and become the first victim?