Android apps must explicitly request a READ_CONTACTS permission. But even there, no one actually reads those permissions lists, and apps routinely ask for far more than they need. User authorization is a very weak security mechanism in the consumer space.
Like FB apps, even legit Android apps ask for the moon, with no option to dole out granular permissions.
"The Weather Channel" is a default icon suggesting a free download on the Kindle Fire.
It asks for:
Set the wallpaper
Send SMS messages
Write to external storage
Access info about Wi-Fi networks
Access coarse location
Initiate a phone call without going through the Dialer user interface for the user to confirm the call being placed
Write (but not read) calendar data
Read calendar data
Required to be able to access the camera device
Open network sockets
Access fine GPS location
Access vibration feature
Access info about networks
Record audio
I haven't installed it, so I have no idea why it should be able to silently dial out without my permission or send SMS messages.
If legit apps are demanding all this, then a Chinese weather app dialing those toll numbers in the Caribbean could do the same.
FWIW, if you have a rooted Android phone, you can install an app called "LBE Privacy Guard". It lets you install apps which require permission to send SMS, make calls, read contacts, access the network and a bunch of other things, but then prompts you when an app tries to do any of these things and lets you block/allow it temporarily/permanently.
CyanogenMod allows the user to remove specific permissions frmo specific apps. If more users used CyanogenMod, more app developers would become compatible.
From what I have seen you can only remove those permissions "late". Ie you have to black list permissions, you cannot deny them right away. From my understanding this would not protect me fully since apps could do their thing before I disabled it.
If you do not open them manually or restart you phone (if they have the permission RECEIVE_BOOT_COMPLETED) They are not executing. You can install them and revoke certain permissions before they are running for the first time.
With FB apps, you can go into your App settings and revoke individual permissions that you don't want to give. They still have to be granted to auth the app, but at least you can clean it up very quickly and easily.
Where is this setting? This is the second time I've heard someone say you could do that but I cannot find any options like that. Settings just has Refresh interval and options to configure notifications.
Asking upfront is also a problem. Asking on demand is much more annoying to the user, but also makes them think about what the app is asking for - as opposed to a list of permissions at install time, which are skimmed over and then forgotten.
But even there, no one actually reads those permissions lists, and apps routinely ask for far more than they need.
Lots of people do read those permission lists, and they are one of the most commonly referenced complaints in app reviews. A firestorm arose when an Angry Birds update inexplicably added the ability to send SMS'.
Further it focuses a spotlight when an app does request a permission that seems out of place. Ideally when Google evaluates app for their "staff's picks" (the "optional curation") they consider threat surface area.
Ideally the OS should prompt you if an app wants access to your address book, just like it does for location.