Many of the pages at this site rail against the wisdom or possibility of tacking security onto conventional operating systems. I want to extend this advice to the design of applications as well.

Today the application designer can only specify what his app will do on the assumption that it can be safely installed in a benign environment that will remain benign. It is foolish to specify that the app will guard a secret when all permanent storage on the target platforms is in files, access rules to which are outside the purview of the application design. With a capability system and a facility such as the apartment the application can indeed specify such security properties and achieve them in the code which includes the installation mechanisms. As always the properties are relative to the particular platform upon which the app is installed, but a cap plus apartment system, proper implemented, allows such promises to be fulfilled.

An app designed for such a capability platform will find it natural to make and keep such promises. This is what I tried to say here and here a few years ago.