And ofcourse the real security hole is that one can make application to ovi store, and which would check the existance of /usr/sbin/incept and if binary is found then incept malware into device, and if binary is not found then do nothing.

So 1st you should make /usr/sbin/incept to set and query some custom password to able to be run it (which would not be rootme ie force change of default passwd).