There might have been a restriction on originating (making) calls (voice or data) from mobile phones without an explicit user permission i.e. a window would pop-up, asking the user to press 'Yes'/approve or 'No'/cancel for a call attempt made by a software application on that cellphone/mobile. There seems though to exist API for making calls, voice calls and data calls, on various embedded OS like WM, Symbian and Android. Do they require a user button-press then?
This is about runtime security model.
When you develop a mobile application, you also make a list of the APIs it might want to use. If these APIs are protected by a "capability" or "permission", you need to declare it in the application manifest file or makefile.
Depending on the target handset security policy and the access your application requires you may need to have it signed by a trusted third party (verisign, geotrust, google, apple, your mobile network operator, your handset manufacturer...)
The J2ME security model is: the user is asked about API access based on who trusts your application (i.e: your mobile network operator checks that your application won't cripple their network, so it's OK to only ask the user once about whether (s)he doesn't mind being charged for data download).
The native Symbian OS security model is: your application will not install unless it is trusted by somebody with enough power (i.e.: only the handset manufacturer has enough power to trust a new hardware driver)
A non-jailbroken iPhone security model is presumably all or nothing: If apple trusts your application it can do whatever it wants.
I don't know whether anybody has actually made a partially-trusted Android application that isn't available on the Android store and that can be installed on an operator-subsidised android handset.