Re: Any developers in the house?
I'll take a stab at this as an Android developer.
First, the answer to any such question that begins with "is it possible" is most likely yes. The real question is how hard is it to subvert the security measures.
The way that Android permissions works is that it should not be possible to bypass the permissions the user sets. However, there are sometime multiple paths to get to the same data (your example of the Accessibility permissions is a good one), so users can be in a situation where they've denied permissions for one thing, but allowed a different permission that unknowingly allows access to the same data they intended to deny.
The Android permissions system is a bit of a mess in multiple ways. Carefully used, it is effective, but there are some gotchas in there that are easily stepped into by ordinary users. Also, the permissions are still too coarse -- you may want to allow an app a specific sort of access, but the app must be granted much broader permissions than just that in order to allow it the narrow access you want.
My general recommendation (this is what I do on my own devices) is to use a firewall to prevent apps from talking to the network at all by default, then whitelist the specific ones that you really need to be able to communicate. That way, errors in permissions-granting are less problematic. It doesn't matter if an app gets access to, say, your address book if that app can't transmit that data out of your phone.
Biting the hand that feeds IT
