As an app developer
OK, i've written an app.
It is free, and has adverts in it.
As a coder, this involves adding a jar file to the project and adding some code which displays the adverts. Now, my app does not request permissions to get contacts or texts etc as it has no need for these.
Assuming I wrote an app that did, then I assume that grants permission to the 3rd party ad library to do the same, since it is all part of my app. So could it be that developers of these apps don't even know that ad brokers are piggy backing on these permissions to get at the personal data?
I have no idea what other things this library is doing, but I imagine it would be quite easy for the 3rd party ad library to say:
// Show an advert and do nothing else (honest)
uploadAllContactsToTheCloud(); // shshshsh
// oh yeah, don't forget to show the add otherwise people might get suspicious
Be careful out there