[xani_]

Again, what stops malicious app B from just taking the A's id and presenting it to device ? token doesn't know who sent USB packet

[kfreds]

I'm not sure I understand your question.

If you're asking about applications running on the device (Tillitis Key) the answer is measured boot. You can read more on tillitis.se.

[stavros]

I think the app is installed on the stick itself, kind of like how you install coin apps on a Ledger.