We run an indexer that gets data and artifacts from various repositories. It can be slow sometimes, but it's improving - in quantity and speed.
All data is written to wss://relay.zap.store and https://cdn.zap.store (a blossom server). At the moment both are read-only for everyone except this pubkey.
The zap.store Android app fetches data from that relay which for now is hardcoded. Why? First reason is security: we do not have all the tools in place yet to let users confidently determine the trust profile of an app, so we're effectively curating. And second is UX: the NIPs for apps and releases are new and in flux, having control over the relay allows us to fine tune without causing many issues.
Once we progress with all that we will let users choose their own app relays. So you are right that it's not fully permissionless today, although you could definitely fork app and relay and run your own. But it will soon be.
quotingzap.store (npub10r8…t2p8) Nice app but I don't understand where is the apk sourced? Right now Obtainium give an update for Molly, from Github, but Zap.store is still not showing the update.
nevent1q…f6zr
Also you say that it's permissionless, how can I add an app? Is it only dev that can add an app or anyone?