Microcode Studio's Bootloader offers a distribution license for about $400 USD and it includes the DLL library if you want to write your own interface and still use their bootloader core. I haven't purchased this yet but been very tempted. I think you could write an app to encrypt/decrypt the hex file then send it to the PIC using the DLLs. Of course the serial data to the PIC is still vulnerable to capture. Also you could distribute a simplified app with the update file already embedded.

I've been forever watching and searching for a secure bootloader. Unfortunately there seems to be no such beast on the market at present. Curious that no one offers this. My own programming skills/knowledge aren't quite up to tackling that yet, but I would certainly be willing to pay a few hundred dollars for a good reliable encrypted bootloader.