It doesn't but if you are provided a malicious update to an already installed app android handles the verification and will prevent the installation of the update if it was not signed by the developer. The first installation is only time you usually risk a mitm attack