Comment by microtonal
5 days ago
By default their app cannot though because Android uses proper sandboxing and gated API access. So you actually have to give the app location access, access to your messages and access to your photos.
Well, unless you use one of the many crappy Android devices that never get security updates, are running old kernels, old vendor security patch levels, miss all Android security patches, except applying the backported security bulletins every three months (1-2 months late). Yet, Google is happy to certify them as Android devices.
It was never about security, it is about control. If it was about security, they would have revoked the GMS licenses of pretty much every vendor outside Google themselves and maaaaybe Samsung, until vendors actually started caring about security. If it was about security, there would not be as many scam apps in the Play Store itself.
Back to your sister, the proper solution is to educate her (and everyone else) not to give apps unfettered access when they ask you to, plus let Google implement more security measures that systems like GrapheneOS already have (contact scopes, sensor permissions, network access permissions, etc.).
The tricky bit with that is it would get a monopoly lawsuit from manufacturers with a lot more money to throw around quickly. The biggest problem in improving android security posture is getting manufacturers to have robust security and release updates without getting monopoly lawsuits.
It also doesn't help that mobile carriers can delay updates for months. Thanks T-Mobile.
It also doesn't help that "robust security" often is the problem in the first place.
People forget to ask the most important question: security for whom, and from what.
You mean those crappy devices that let me record my phone calls and let the voice recorder continue recording the lecture even when the screen is locked?