It means that the permission (capability) to do something is encapsulated into an unforgeable bearer instrument that can be stored, passed around and so on. An open file handle (descriptor on UNIX) is a capability, because if you have it you can use it to read and maybe write to the file, and because you can send it to another process, at which point that process also has the capability to read and write that file.
Capabilities are one of those concepts that's a bit like FP or RISC. It sounds elegant but in the real world experience is mixed, so it's rare for a system to rely on it purely. Most real security systems today are built on semi-static permissions granted to domains defined by some third party identity system. Capabilities do get used, but mostly in the sandbox context and mostly as a detail.
So I think Dan is not quite correct that mobile platforms use capabilities. Users assign permissions to specific apps semi-statically there. The lowest levels of the OS may use a small set of capabilities as part of the implementation, but granted permissions are not generally easy to send around to other apps.
