I don’t have something specific to read, my statement comes from questioning the declared permissions by apps. Why would, say, facebook - an app that, essentially, downloads and uploads content via http, need access to location, gyro, contacts, texts, call history, making calls, microphone, etc? Also, while I can’t prove it, as someone who works in computing I can guarantee there are undocumented/buggy/testing APIs and just straight up bugs that companies with enough resources can and do find and abuse. Cambridge analytica has only strengthened my view on this.