Ground breaking journalism here by John Leyden...
... Some people didn't get hacked by a 'hacker ring' that might have been one bloke, who didn't do anything. Hold the front page!
The hacker ring behind last week's celebrity nude self iCloud privacy flap also planned to use malware to obtain private photographs from compromised Android phones. The hackers swapped snaps on the /stol/ (short for “stolen”) forum on image board AnonIB, a spinoff of the notorious 4chan, including intimate snaps of Jennifer …
The best part is that nearly every Android app out there already requests INTERNET (for ads) and READ_EXTERNAL_STORAGE (a holdover from when phones had tiny /data partitions and physical SD cards, so it made sense to have a small app that downloaded large amounts of game data separately and put it on the SD card).
Yeah, we have that on iOS and Windows Phone. I'd actually be quite surprised if Android doesn't already allow it, at least as an option.
But it doesn't help.
Because virtually every app you install demands a long list of services, in tiny print - it's a chore just to read them. And there's no way to allow them selectively - it's all or none. Why does "Flappy Bird" need to know my location? - well, obviously, it might help to serve me ads, but does it do more than that with the info? I'll never know. (Or so I hope.)
Basically, after installing the first dozen or so apps, you're already trained to - if you're particularly conscientious - skim through the list looking for anything grossly offensive, such as "address book", and if it doesn't trip your red-wire warnings, tap "Allow". It's very scary, what can slip under that radar.
I understand Android L is going to revamp the way permissions are granted, but for now I'd recommend CyanogenMod's "Privacy Guard" feature, which lets you allow or disallow individual permissions for installed apps. Worth getting CM for that alone!