How is system security affected by App to App comunication, and component reuse?

Question

Whilst reading 'Gray Hat Hacking', I encountered this statement

Applications and operating systems use each others components, users download different code to extend functionality, DLLs are installed and shared, and instead of application-to-operating system communication, today many applications communicate directly with each other. This does not allow for the operating system to control this type of information flow and provide protection against possible compromises.

The questions that come to mind therefore are

1. Is this a reasonably acceptable description? I think the answer to this is 'Yes, it is'.
2. How/Why did computer system communication evolve this way? My guess is because ICT developed in bits and pieces across political, and corporate boundaries.
3. Assuming that the risks of a possible security breach in App-App communication are now universally recognized, are there any initiatives in existence to ensure that App-App communications are replaced by App-OS-App communication?
4. Is it even feasible to attempt to provide such a mechanism ( see (3) above )? One obvious drawback that I can think of is the logistical impossibility of authenticating a plethora of applications across versions, technological advances, OSes', Protocols ... to name just a few continually evolving factors

Answer 1

A few thoughts.

I think you could argue that the statement

instead of application-to-operating system communication, today many applications communicate directly with each other.

is misleading by the word direct. Applications still generally use operating system services to communicate with one another, usually network services.

Computer system communication evolved this way because there is value in collaborating applications sharing information, for example Facebook and your web browser, and data networks have matured and enabled this collaboration. Back in the day, most applications stood alone in their operating system, and some still today - think of a simple calculator or a notepad.

I do not know of any initiatives to force inclusion of the operating system in inter-application communication. An operating system abstracts system services for the use of an application. Instead, application-layer facilities have been created to enable security in inter-application communication, for example WS-Security allows web services to be secured.

It's not feasible for a general-purpose operating system to try and absolutely guarantee the security of arbitrary applications running on in - for a start, security isn't absolute, there are many facets (confidentiality, authentication, authorisation, integrity, etc.) It may provide facilities to applications (for example, logon facilites for users) and have facilities to protect itself from applications (as may the hardware underneath).