what is the best practice of packing your custom app with custom permission, so that an administrator who install the app doesn’t have to do too much work on the security end and all user have access the App Directly
Ideally, you would just include permissions sets, and all would be well. But it depends on whether you are trying to include permissions for standard objects, or just custom objects, tabs etc. If you have a self contained app with no references to standard objects, a permission set SHOULD work. But if you have references to standard objects, be careful with permission sets – they have been known to cause internal server errors when installing a package. I would suggest adding some permission sets, and then creating a beta package to check a) the package installs b) the permission set is maintained in the target org (I have seen it where the permission set is there, but nothing is checked in the target org)
You can certainly include a Profile, but permission sets make more sense for most apps. If you can’t include one, I would at least document what it should contains so an admin can build one in their org.