You can still, at least, allow users to revoke it, even if it's silently default.

just out of curiosity, how was it bypassed?

Apps can communicate via each other, so if any app has internet permission and public intent then other app can use that https://developer.android.com/training/basics/intents

so, "get your users to also install this other backdoored app with the internet permission".

I don't think that qualifies as "trivial", though it'll obviously work on some people.

The easiest way was to send an Intent to the browser with a specially constructed URL. Every phone has that installed.

For relatively small bits of info, probably only once before the app is uninstalled: yep, agreed, this works. There's no practical way to prevent it either, short of requiring interaction literally all the time, which just makes dialog-fatigue worse.

But ultimately this will do a single extremely visible GET request, which is limited by the browser's normal sandboxing. That's quite far from "bypassing the internet permission". And in some cases ineffective (e.g. I have multiple browsers and intentionally do not set a default), though that's rare enough that I don't think it's relevant.

---

An "app can send intents" permission would be sorta nice for things I truly want sandboxed, e.g. a password manager. XPrivacy allow(ed|s) blocking stuff like this, I would and did happily toggle it off for most apps since e.g. many games have no need of anything but their APK's data.