>Google will have to balance how to restrict Hover's permissions without crippling legitimate apps.
How about: "Don't let notifications look like an application" or "Notification windows always include the application name" or "No transparent notifications" or even "all notification overlays are logged along with the application they overlay" for after-the-fact checking.
Until an OS is built for the user rather than the producer, this kind of thing will be a problem.