I (and many others far more impressive than myself) am trying to solve this problem at a fundamental level: Give the developers tools that are secure-by-default (i.e. libsodium not mcrypt) and teach better development habits. Make it easier to do the secure thing than the insecure thing.
It might take years, but I believe these initiatives will trickle up and make the software everyone uses more secure at a base, so it will require less cognitive load from the end users to communicate safely with each other.
That's the idea, anyway. Time will tell if we can succeed.
Wouldn't you be better off solving it by sandboxing? Basically don't allow programs to do bad things in the first place rather than try and get all programmers to be perfect. Basically the web (and/or some phone OSes).
Sandboxing is good for stopping memory corruption and privilege escalation bugs. It's not very useful for problems affecting cryptography implementation flaws, logic errors, out-of-date software, etc.
Those problems are better solved by giving developers better tools and frameworks that solve these problems for them, that are simple to use and don't introduce massive security foot-cannons.
(This comment is a minor spoiler to my current project, I suppose.)
The problem with sandboxing is that "bad" has no formal specification. There are legitimate reasons to access contacts, intercept system calls or key presses, use raw sockets, etc.
If you try to make those things not possible then people who need them have to use a different platform, which tends to cause other people who need to interact with those people to use the same platform (and so on) until the original platform is in decline. And the effect is worse the more you lock things down. It doesn't help anybody to have an ultra-secure platform that nobody uses.
I completely agree! This is one of the reasons I'm bullish on Rust; in the long run it will be nice to have a (more-)secure-by-default systems level language.
It might take years, but I believe these initiatives will trickle up and make the software everyone uses more secure at a base, so it will require less cognitive load from the end users to communicate safely with each other.
That's the idea, anyway. Time will tell if we can succeed.