the trick is to limit the power of the sandboxed app, whilst still allowing a safe handshake. so some kind of message transport API where the native app has to say "i only expect apps with this identity to connect to me"