I agree. And at least as far as 5.1 lollipop, many permissions could be gotten around. It was easy for any app with no granted permissions at all to get things like mac address, and router mac address.
These days, the play store groups permission requests to make them "simpler" - grant a permission group, and any subsequent app update can specify any other app in that group and it will be granted without the users knowledge.
Oh, and internet access is a given now. I've seen all sorts of abuses by even "respectable" companies... It's all rather like the facebook situation, where facebook 'trusted' third-parties not to abuse overly permissive permissions.
It's intrinsic. The only way to have any chance of control is to block all apps internet access at the unix level, or via the router (though the latter option makes it harder to allow specific apps access!)
Biting the hand that feeds IT
