Devices should offer a local signing cert, where you can sign an app for that device only. Then make the app signing process enforce binding agreement that you assume all responsibility related to the app.