
A hacked fdroid server could "replay" old index.jar files known to have apps with vulnerabilities in it. That provides a long window of time for exploiting that vulnerability. By checking that the timestamp of an update is never older than the current index, this attack is prevented.