Placing the reference monitor in another application: Our approach embeds the reference monitor in the untrusted application directly. Alternatively, one could embed the reference monitor in another application. The advantage of this approach is that the user could then remove all the permissions from the untrusted application. Instead, the untrusted application delegates all API calls that require permissions to the reference monitor application. Even though this approach has the desirable fail-safe default property, it suffers from several disadvantages