Untrusted Java apps - and suspicious end users
Now that I've started writing little apps for phones, I occasionally get excited by one, and send a link to some people.
They get an SMS from me with an URL ending .jad, and a message urging them to install, and run it.
Some do, some don't - I suspect because they're suspicious about it.
Hell, if I didn't know about phones, and permissions, I wouldn't. No way. I'm far too suspicious when it comes to things like that.
However, untrusted apps, (that is, apps that aren't signed by either the phone manufacturer, or the network operator) are very limited by what they can do. (And those that are have their source code audited by those organisations first.)
Everything has to be confirmed with the user first.
On my Nokia, there is no way, for example, of sending SMSes without the users approval every single time. Filesystem access is restricted, network access is restricted, using the camera is restricted.
So a lot of the fears - perhaps that the app will send non-stop SMSes to a premium rate number, or might activate the microphone and spy on you - are unfounded.
To see the sorts of protections your phone implements, you probably have a security manager. On my N80, it's in Tools, App Manager. Run that, pick an app, and view the settings. You'll find most of them have only "Deny", or "Ask every time" as options, with a few having "Ask first time" as well. ("Ask first time" means ask first time the app is run - not just the first time ever.)
These restrictions sure as hell get in the way of writing apps. But I suppose they're needed.