publish your app with a hash, have third party auditors audit the release with said hash, when using the app, hash it client side and make sure it lines up, badda bing, badda boom.
Also this was a fun discussion that relates to this topic (and with self-deployment).