diff --git a/README.apps.md b/README.apps.md
new file mode 100644
index 000000000..bdb13e9d0
--- /dev/null
+++ b/README.apps.md
@@ -0,0 +1,57 @@
+The policy defines multiple types and attributes for apps. This document is a
+high-level overview of these. For further details on each type, refer to their
+specific files in the public/ and private/ directories.
+
+## appdomain
+In general, all apps will have the `appdomain` attribute. You can think of
+`appdomain` as any app started by Zygote. The macro `app_domain()` should be
+used to define a type that is considered an app (see public/te_macros).
+
+## untrusted_app
+Third-party apps (for example, installed from the Play Store), targeting the
+most recent SDK version will be typed as `untrusted_app`. This is the default
+domain for apps, unless a more specific criteria applies.
+
+When an app is targeting a previous SDK version, it may have the
+`untrusted_app_xx` type where xx is the targetSdkVersion. For instance, an app
+with `targetSdkVersion = 32` in its manifest will be typed as `untrusted_app_32`.
+Not all targetSdkVersion have a specific type, some version are skipped when no
+differences were introduced (see public/untrusted_app.te for more details).
+
+The `untrusted_app_all` attribute can be used to reference all the types
+described in this section (that is, `untrusted_app`, `untrusted_app_30`,
+`untrusted_app_32`, etc.).
+
+## isolated_app
+Apps may be restricted when using isolatedProcess=true in their manifest. In
+this case, they will be assigned the `isolated_app` type. A similar type
+`isolated_compute_app` exist for some restricted services.
+
+Both types `isolated_app` and `isolated_compute_app` are grouped under the
+attribute `isolated_app_all`.
+
+## ephemeral_app
+Apps that are run without installation. These are apps deployed for example via
+Google Play Instant. These are more constrained than `untrusted_app`.
+
+## sdk_sandbox
+SDK runtime apps, installed as part of the Privacy Sandbox project. These are
+sandboxed to limit their communication channels.
+
+## platform_app
+Apps that are signed with the platform key. These are installed within the
+system or vendor image. com.android.systemui is an example of an app running
+with this type.
+
+## system_app
+Apps pre-installed on a device, signed by the platform key and running with the
+system UID. com.android.settings is an example of an app running with this
+type.
+
+## priv_app
+Apps shipped as part of the device and installed in one of the
+`/{system,vendor,product}/priv-app` directories.
+com.google.android.apps.messaging is an example of an app running as priv_app.
+Permissions for these apps need to be explicitly granted, see
+https://source.android.com/docs/core/permissions/perms-allowlist for more
+details.