Microsoft's solution to this in Windows Phone 7 is sandboxing the application and only allowing a certain amount of API calls which the user must confirm. For example if an application wishes to send an sms, it invokes the SMS Api populating the phone number and message and then gives the user the option to confirm or deny.

The downside to this is that application customisation deep within the system is not possible however user security is quite high.