In Mycelium, the user does according to the source code but with any binary from google play, the user has to trust the developer with his funds so for me the first question would be, who is the developer and then who holds the keys.