Thanks to Facebook, app permissions have popped back into the public’s consciousness again. Last month it was discovered that Facebook had stored the phone logs of Android users who opted sharing their contacts in the days before Android 4.1 Jelly Bean. Then this week, during Mark Zuckerberg’s congressional testimony, two representatives asked whether Facebook might be listening to private conversations through our phone microphones and using the info to serve up eerily specific ads.

Zuckerberg responded definitively to the questions about the microphone conspiracy theory—“no”—then felt the need to add that Facebook does have access to audio when people record video on their devices for Facebook. “I think that is pretty clear. But I just wanted to make sure I was exhaustive there,” he said.

Facebook Facebook

But Zuckerberg’s do-si-do with Congress, rather than being clear or exhaustive, showed that people are still genuinely confused about what data their smartphone apps can and can’t access. That’s partly because of app permissions: They’re oversimplified and designed to offer a minimal amount of information, right as they’re asking for access to your data. And while they’ve improved just as apps have, it’s not enough to match the sophistication of the data-gathering technology that now surrounds us.

It may seem obvious at this point, but mobile apps—not just Facebook—can vacuum up a crazy amount of data with every interaction. (Just look at what happens when you order a pizza, as illustrated by The Wall Street Journal). Both iOS and Android apps are capable of accessing your phone’s microphone, cameras, camera roll, location services, calendar, contacts, motion sensors, speech recognition, and social media accounts.

Some of this access is necessary: a photo app doesn’t work without access to a smartphone’s camera, just like a ride-hailing app like Uber doesn’t work without location information. Reject those permissions, and you’ll break functionality. But sensor data could also reveal a lot more than some people realize, especially when patterns start to emerge.

One Android app developer, who requested anonymity to avoid speaking on behalf of his company, noted that once you grant location access, app makers are able to pull in bearing and altitude information in addition to single location objects. This means apps can know “roughly which floor of a highrise you live on.” Ish Shabazz, an independent iOS developer, says that once you give an app permission to always have access to your location, “there’s an API to keep track of how frequently you visit a location.” (On iPhones, this list is visible in Location Services, then System Services, then Significant Locations.)

“There are legitimate and friendly ways that this data is used,” Shabazz says. “However, if you’re nefarious, I’m sure that info could be used in non-helpful ways.”

Amod Setlur, a former director of engineering at Yahoo who now runs a Silicon Valley analytics firm called Auryc, says one of his clients, a travel app, learned some interesting behavioral patterns about its customers based on how they were holding their phones.

“We found that during traffic spikes [in the app] at night, a lot of device rotations were happening,” Setlur says. “They were starting like this, and then they would turn the phone like this. We realized that people were trying to plan their next trip, turning the phone sideways to look at photos, while they were lying in bed.”

Those are just insights, the kind that make marketers froth, but there are the clear overreaches in app, too: Path’s unauthorized upload of peoples’ address books to its servers; Pokemon Go’s ability to “see and modify nearly all information in your Google account,” and Meitu’s request for access to GPS and SIM card information. Usually it’s around privacy violations like these—or around Facebook news—that app permissions get a fresh dose of attention.