Originally Posted by
joeldf What kinds of attack surface are you concerned about?
The only thing that android apps have access to is whatever the runtime is allowed - usually the typical contacts, calendar, and information that is shared between the basic runtime and its link via a stub to the matching info in BB10.
Usually the kind of info the app needs is what it needs to do its thing. File access, for example, is needed if you share photos from the phone. Contacts so it can know who you want to communicate with. Sure, you can use the app TrumpetTiger mentioned (I've used it), to limit the excessive stuff, but the app itself is fine.
And, honestly, Whatsapp is mining that info regardless of what platform you are using. I don't care what they say, I don't trust them.
Root level android attacks are pretty much non-existent because there is no "root" in the BB10 android runtime. Because it's a runtime, or emulator, not the whole OS. Root attacks look for things that simply don't exist in the emulator (there have been several inquires posted on these forums over the years asking how to root the runtime - you can't). If an attack tries to get access through a stub, the sandbox stops it.