Reproducible builds solve that.

So now we no longer have to face the choice between trusting one app (the app store itself) with thousands of eyes on it vs cumulatively trusting dozens and dozens of individual app devs including some weird niche apps that only you need, any of which could’ve included malware. We can know that the APK the dev built and the APK the app store built and the APK any security-conscious third party can build are all exactly the same and built from the same source dist.