(no title)

That's ok, but if the app ever manages to get more permissions then it may be able to keep them (set-uid shell for example, or keeping a socket open past being permitted to use the network, or holding some token, etc). I don't know how much of that you can do with Android per se, but in general it's not enough to use programmatic permissions like that.

Another factor necessary for security is non-interceptable input. This is part of why iPhone has a physical button for going to the home screen, so that it is not possible to fake a home screen. With a software button some app could go fullscreen and present a bogus button and then use a fake home screen to trick users (it wouldn't be easy but possible).

So a huge missing factor on desktop OSes is missing hardware support for input to the OS. Windows kind of has this with ctrl-alt-del, where you can log in without any possible fake login screen. Instead of "caculator" or "play/pause" there should be special buttons that only input to the OS and are not readable by applications. For instance instead of a Gnome dialog box asking for your password to approve some change the user should press the "secure ok" key on the keyboard.