When people say that apps are stealing your data, what exactly does that mean?
Apps like Temu or TokTok. Or those cheap electronic devices where you have to download a questionable app and register an account. What exactly is being stolen and what is being done with it? Who is doing it? Why?
Everything. Basically, if it's not nailed down, they want to take it.
The short list of most common data taken would be app usage stats, not necessarily just for the app in question (eg, tiktok may pull data on how many hours of screen time other apps get, like YouTube or Instagram or literally anything else), GPS info, data about how often you handle your phone (from accelerometer readings), wifi networks including the bssid (mac address) of your router, which cannot be easily changed or masked, sometimes even data from your mic when you're not using the phone at all.
They know when you're sleeping, they know when you're awake, they know when you've been bad or good.... Oh wait, that last bit is Santa... Isn't it?
Anyways, I wouldn't be surprised if a few are bold enough to upload your pictures regardless of if you are posting the images, your browser history, security, device make/model, storage of your device, the list of files in storage, text messages...
Basically, anything that might help them identify you, what you do, where you work, when you work, how you travel, whether you're in a relationship, how happy you are in that relationship and how long it has been going on... Anything that might lead them to provide more targeted ads. Been in a relationship for a while and you seem happy? Check out these engagement rings. Already married? Here's some ads about parent stuff. Even something as simple as, hey, you're single and it's February, why not try Tinder or Grindr, or (insert app for your preference here).
They want to know everything there is to know so they can get you to buy more crap you probably don't need, for more than it's worth, and keep that economic gravy train rolling.
Also to add to bssid, it is possible (in the majority of cases) to get the exact (and i do mean exact) geolocation of the router whose bssid you have. See geomac by drygdryg on Github.
Fun story: I purchased several wireless access points from an eBay seller, years back, and when I brought them online, our geolocation services on all our phones thought we were several hundred miles away from where we lived for many months. I assume the bssid data was feeding the incongruency.
After a few months, however, whatever database was feeding our devices with bad geolocation data, was updated, and we were once again "located" in the correct spot.
The accuracy of these systems is incredible, it will actually use, not only your own bssid, but also that of complete strangers to try to figure out where you are without turning on GPS. If your personal bssid is weak but your neighbors bssid is stronger, it will adjust your position based on the relative signal strength of each bssid that is detected. In the same way triangulation works with most radio signals.
I've seen such systems estimate, with a fair amount of accuracy, client location data on a floorplan where there are a few dozen access points in the space.... So it works both ways. In that case I was part of a team at a job where the client had a couple thousand square feet of floor space, and about 12-15 access points to blanket the space in coverage. We could, with some degree of accuracy, follow the location of someone as they moved through the space; knowing where they spent most of their time, and what services in the space were utilized by the guest.