Separate question for the application delivery mechanism:
1. App is not preinstalled, but by default gets installed during initial configuration by the user if the user always picks the preselected option -> IMHO part of the device, forcing installation later should not be an allowed trick to make the scope smaller.
2. Third party app is installed through the official app store/repository, but vetted less (or not at all) by the OS vendor. Do we want to require a vetting level indicator if the same source has multiple tiers of vetting?
3. Third party app is installed through the official app store, but does not use that app store for updates, instead preferring its own update delivery mechanism. Is that something we should warn against?
4. App installation requires the user to agree to certain privileges/permissions for the app. If the app later on wants more/other permissions, are those granted implicitly (motivation: user has already installed the app, keep it working) or is explicit consent by the user necessary?
5. If the OS changes the way how app permissions are handled (bluetooth access suddenly needs location permission), should the OS guess the intent of the user or should the user be re-asked all the permission questions?
Aeva: Carl-Daniel's comment could also apply to enterprise computers (laptops, desktops, servers) -- most also contain a second OS for remote management.
The fundamental types of attack of an OS are:
* Local threats: Running code on the platform of the OS that results in unauthorized access to assets
