What are these "site operators" that you speak of? If facebook or google or twitter is publishing a native app, they can embed any credentials/certs/keys etc. they want into their app. It's not a great leap to think of a cert/key renewal mechanism via DNSSSEC or some other proprietary mechanism.
Essentially, it's the same as google pinning their certs in the chrome browsers. Except, since you control both end points (your app and your own servers), you don't have to participate in the broken (trust based) PKI system at all.