The apps are signed, so it's possible to compare signatures against the originals. I haven't seen any reports of signatures not matching from Apkpure, though certainly possible.
But more importantly, what's the actual threat vector here? This isn't his personal phone. Just don't connect the tablet to your Wi-Fi. What's it going to do, sneakily increase your temperature by 1 degree?
AFAICT you need to have it connected to the internet so that their phone app can connect (presumably via cloud servers) to the control tablet and provide controls from your phone in and out of the house.
Also if you want to integrate the air-con with general smart home stuff.
Android doesn't surface app signatures beyond requiring that updates share the same signature while the original is installed. I thought a potential app could exfiltrate data, voice, do crypto mining, act as an unauthorized VPN exit node for commercial VPNs or cyberattacks, etc.
