[zak_mc_kracken]

And of course, you can always see if an app is uploading your contact data to their servers, even if that app is closed source.

[avz]

Anyone could use a network sniffer to see it is uploading something, but you can't tell what since the content may be encrypted. Advanced user may be able to follow the data in a debugger, but that's a lot of work. Very advanced user could instrument the code to perform data flow analysis, see https://www.cs.cmu.edu/~wklieber/papers/soap2014-didfail.pdf

[avar]

You can relatively easily MITM most applications by uploading a custom root certificate to your phone, and doing SSL termination + re-establishment on a router your phone is using.

[stefs]

isn't this only true if the app isn't pinning certificates?