To me, it’s gotta be the microphone
Internet
Root
This. Root allows an app to get any permissions and probably even disable all evidence of having them.
It actually allows the app to run as the OS itself.
Clearly the only right answer is Internet. Who cares about camera, mic or location when the app cannot send the data anywhere anyways?
Inter-app communication can go around it. And most OSes don’t block localhost connections either.
This depends on what you’re trying to defend against. In my opinion (on GrapheneOS):
- “Accessibility” permission (i.e. full control of the device)
- “Network” permission
- “Modify system settings” permission
- “Install unknown apps” permission
- Any permission that allows apps to communicate with one another (such as a reduced sandbox, file permission, or app communication scopes)
Those are the only permissions that I can think of off the top of my head that could potentially allow an app to phone home. Turning off Wi-Fi for the device does little if the app also has the “Wi-Fi control” permission.
Wifi in apps that have no reasonable need for it, because it’s basically location.
Drug dealer : Network - Location - Contacts
Facebook : I’ll take all
Facebook? More like FBI. Wouldn’t be the first time.
Location.