[falling]

> I think it just means the app can fetch those contacts in a widget, or a SMS app, or something, but definitely not sending it to their servers.

How could you give the app access to your contacts list and prevent it from sending the data somewhere else?

Besides, the description on the Android Market says: “READ CONTACT DATA Allows an application to read all of the contact (address) data stored on your device. Malicious applications can use this to send your data to other people.”

[Dylan16807]

It could theoretically give access to contacts via a contact-chooser button without ever letting the app get to the list. Much like you can upload a file on a desktop browser without letting the site see your list of files.

[falling]

That limits functionality quite a bit. Say you want to write an email or messaging client (K9, Handcent), your solution prevents you from doing name/address autocompletion in the To: field.