The app could be hosted from just about anywhere. GitHub, a Blossom 🌸 server, or whatever, and signed with a PGP key or nsec when listing it on zap.store, and your web of trust on Nostr can be used as a measurement of the trustworthiness of that key.