To me, it’s gotta be the microphone
Root
This. Root allows an app to get any permissions and probably even disable all evidence of having them.
Drug dealer : Network - Location - Contacts
Facebook : I’ll take all
Wifi in apps that have no reasonable need for it, because it’s basically location.
Location.
This depends on what you’re trying to defend against. In my opinion (on GrapheneOS):
- “Accessibility” permission (i.e. full control of the device)
- “Network” permission
- “Modify system settings” permission
- “Install unknown apps” permission
- Any permission that allows apps to communicate with one another (such as a reduced sandbox, file permission, or app communication scopes)
Those are the only permissions that I can think of off the top of my head that could potentially allow an app to phone home. Turning off Wi-Fi for the device does little if the app also has the “Wi-Fi control” permission.
App communication scopes isn’t the scary thing, it’s the solution. Standard Android sandbox allows apps to communicate if they mutually agree to it. Scopes will allow you to limit that.