Re: Not just google
"I can't see how this could work securely unless the banking app could access my contacts."
In Android, it is possible to ask permission on a case-by-case basis, so the app could be blocked by default and ask for permission only when you actually try to use the service that requires the information.
That would, of course, encourage customers to think about security. Perhaps some banks reckon it is more profitable to scare away the security-conscious customers in favour of those who just do as they are told.