Most developers have only the vaguest idea of what the security
implications of symlinks are, and simply saying "this seems a tad too
restrictive" does not instill confidence that you've spent the time to
become an expert on this obscure and complicated subject.
The implications of this vulnerability reach from disclosure to loss of
personal information for the Calendar data. For Contact information,
private information of others is also affected, potentially including phone
numbers, home addresses, and email addresses. Beyond the mere stealing of
such information, an adversary could perform subtle changes without the
user noticing. For example, an adversary could change the stored email
address of the victim's boss or business partners hoping to receive
sensitive or confidential material pertaining to their business.
Könings, Jens Nickels, and Florian Schaub
on an Android vulnerability
to post comments)