Android is a decade old. Our expectations of what apps would and wouldn't do, and would and wouldn't be capable of doing has changed. Back when the apps on my phone were in the range of being 400 KB to 600 KB, I don't think people even fathomed the complexity and power our devices are at right now, and their ability to secretly handle ever increasing amounts of our personal data without having a meaningful impact on device performance.
I never expected pine to upload my contact list (or email) to some third party server - or BitchX to steal my chat logs. Yet both programs could have done so.
The difference is that before Android, in the world of windows - we already had a culture of spyware bundled with freeware - as well as viruses/RATs - and plain malicious software -
that made it plain that simply allowing random code to execute in a context where it could read data and/or sensors (gps,mic,camera etc) would be a disaster.
There were to workarounds: stewardship (the Linux distro model, like software in debian main etc) or sandboxing.
Android chose too little of each, which essentially amounted to a false sense of security. And here we are.
It's not meant to be an excuse, Android has not aged well, and Google has done a poor job putting security at the forefront of their platform. Apple's taken a lot of flack over the years for making developers jump through new hoops all the time and having such heavy restrictions on their platform, but its clear the users have benefitted in other ways.
iOS had it's own issue, where Path uploaded a user's entire contact list without needing to ask permission for it. That was a wakeup call for Apple, and it should have been for Google too.
