Can you trust ProtonApps.com?

I've recently signed up to the privacy-preserving service Proton. All the email, calendar, drive, VPN, and other services seem to hang off the proton.me domain.

I wanted to download the Android apps to my phone - without using the Google Play Store. The VPN app is on F-Droid but none of the others are. So, because I'm lazy, I Googled "Download Proton Mail".

I landed on https://protonapps.com/.

It looks like a genuine site. But is it? .me is signed by Let's Encrypt, whereas .com is signed by Amazon. There is no link from Proton.me to ProtonApps.com. There's nothing I can find that shows it is genuine.

But, let's assume for the moment, that it is legitimate. What happens when you try to download the Android apps from it?

• The email app page links to the ProtonMail repository on GitHub - there's no link from the .me site to their GitHub. But I'm reasonably sure that's them.

• The VPN app page leads to a different GitHub organisation! I don't know why they're different organisation. It isn't linked to from the the .me site, nor from the https://protonvpn.com/ site (yet another domain!)

• The calendar app page links to ProtonMail.com - is that them? The .com redirects to the .me, but anyone can set up a redirect.

• The drive app page and the Pass app page do both link to Proton.me!

So there are multiple domains - Proton.me, ProtonApps.com, ProtonMail.com, ProtonVPN.com - and there are at least 2 different GitHub organisations.

How do you tell which ones are legitimate? I signed up and paid on the .me page - so I have high confidence in it.

The official Proton Mastodon account says the ProtonApps.com site is legitimate (and the Mastodon account is verified by the .me site). But you can't expect users to chase through a dozen different pages and enquire on social media just to verify which page is safe.

This is my plea to all developers - simplify your customer-facing infrastructure to make your domains consistent & trustworthy.