You can add app2's service account to the bucket's ACL list to allow the app access to the bucket.
First you need to find the app's service account name, which is listed in the Application Settings page in the Admin Console, but it's also just <app-id>@appspot.gservicaccount.com
Then add that that account to the ACL for bucket-foo using gsutil acl ch
, by adding app2's service account to the ACL list.
In the end it'll probably be something like this:
gsutil acl ch -u -R app2@appspot.gserviceaccount.com:WRITE gs://bucket-foo