Inspect the source code and build the APK yourself. There is a file integrity hash check and an APK certificate hash check but Android enforces this validation anyway. For first installs you're choosing to trust AppVerifier and not zap.store, that's okay. I can't change who you trust. However, developers will start signing apps via nostr events so on zap.store you'll be able to check that with your web of trust (via a service or manually)