It seems to use the play integrity API when communicating with Insulet's servers which provide a private key to the PDM/app once it was registered with the user's account. However since the Pod doesn't have access to the internet, it has no way to check the play integrity signature AFAIK, so instead it checks that the certificate that the PDM/app presents to it is issued from the cert chain that it trusts.