There have been discussions about hardware db keys but these security features of course assume that users have the correct original software on their devices. If this isn't the case then messages could be leaking.
Some general background.
Play store, so far as I know, isn't solely located in jurisdictions free of secret court orders, although there are servers for different regions. Distributed software sometimes does vary, depending on the ip address from which it is requested. I have experienced this when doing md5 checks myself.
Play store also has a serious weakness, it works by using google account login, so even if you download over tor you can't be completely anonymous and you will have difficulty creating any google account using tor.
So Play Store might not be advisable if you think you may have been adversely profiled.
In addition there is also the possibility that https can be intercepted and compromised. https://www.eff.org/deeplinks/2011/10/how-secure-https-today Either issue might affect users targeted by ip address and not using tor.
Downloading as an apk file at least gives the possibility to check the hash sum. Also downloading over tor will make it difficult for individual users to be targeted.
So, given these considerations, and that apk files may be used frequently I think it is probably important to have file hashes readily available on a website. Will this be the case?
I am also wondering if there is a way to do an application integrity check from a console as root? Perhaps a small script could be available for this purpose? System file checks can be a good added level of security. I would like to think the application could do this automatically for all users, but it seems this might be difficult to guarantee, and the only really secure way would be via the console. Has anyone any ideas on this?