From what you've written, it appears that you are guessing as to the implementation details that correspond to the mechanism for pushing random apps to phone, which is in this case means un-authenticated apps. There may be an entirely different method used than the standard push method from selecting an app on the website.