[david_allison]

That's only for 'dangerous' permissions as defined by Android.

As an example: NFC is defined as a 'normal' permission.[0]

As far as I'm aware [not an expert here], there's nothing stopping an app developer from updating their app with the ability to steal credit card/passport information (if the card is tapped against the phone).

[0] https://developer.android.com/reference/android/Manifest.per...

[Gigachad]

Credit cards can not be duplicated wirelessly. I’m not familiar with passports but if they can then I’d say that’s a flaw of the cards rather than phone permissions. It’s possible to read nfc cards from quite a distance with a high power reader.

[david_allison]

Do you have a source on that [credit cards]?

From a casual further inspection, there are videos on YouTube which demonstrate this: https://www.youtube.com/watch?v=K_6oMZb8UOI

[Gigachad]

Someone else can probably give the technical details but from my understanding, all but the most primitive NFC cards use a challenge/response system rather than just an ID. So there is no way to actually clone the secret stored internally as this is never transmitted.

I'm willing to bet that video is just plain fake. Especially given it only has 2k views.

[david_allison]

I'd put stock in the video, it's using https://github.com/devnied/EMV-NFC-Paycard-Enrollment which seems reasonably popular.