...and after they're done
"it commissioned the NCC Group to carry out an independent security assessment to confirm the application doesn't track user behaviour or store any age verification data."
...and after the assessment is done, what's to stop them from swapping in the *real* code?