I don’t have something specific to read, my statement comes from questioning the declared permissions by apps. Why would, say, facebook - an app that, essentially, downloads and uploads content via http, need access to location, gyro, contacts, texts, call history, making calls, microphone, etc? Also, while I can’t prove it, as someone who works in computing I can guarantee there are undocumented/buggy/testing APIs and just straight up bugs that companies with enough resources can and do find and abuse. Cambridge analytica has only strengthened my view on this.

Take a look for yourself with a rooted phone.

Blocker will show you all the recievers/services/activities/providers the app uses,
and will allow you to block them.

https://github.com/lihenggui/blocker

Apps often still work correctly with about 80-90% of their recievers/services/providers blocked, since they’re spyware, which doesn’t add functionality to the app.

XPrivacyLua will allow you to lie to apps when they request sensitive data.

Aditionally it will show you timestamps of what it lied about, to which apps, reveiling what they try to collect on you.

https://github.com/M66B/XPrivacyLua

ClassyShark3xodus allows you to decompile and scan apps on the fly,
to check which well known trackers are embedded into it.

https://bitbucket.org/oF2pks/fdroid-classyshark3xodus

Idk if these apps still do it,
since I have not used them for years,
but that’s how I learned about many things like:

• 9GAG contained a face detector service at some point.
• Facebook Messenger requests access to your microphone, even when you are not calling with it.