The other week I was allowing access to one of my online accounts to my wife's phone. This alone is not particularly noteworthy, but she is not the type to use a pass code, pattern, PIN, etc to lock her phone. One swipe and you're in.
This is her choice. It's not one I like, so I removed the application and my authentication along with it once the task was done, but it had me thinking.
What if at the API-level no application could be deployed through the usual avenues (Play Store, iTunes, etc) which stored or persisted authentication information in any way if the device does not use a lock mechanism?
I realize that having to sign in to facebook or gmail every time you use your phone would be annoying, but that's kind of the point. Simply misplacing your phone would not expose you nearly as much to really really simple threats.