Act As An Account AuthenticatorThe 1st and 3rd permissions sound pretty scary and I wasn't sure why they were there. At one time, I considered automatically creating a "Todo Q" calendar in the user's google calendar, so that could be the reason. Anyway, I pulled both. Todo Q will still request a token for the "send to friend" feature. Send to Friend allows you to send tasks to another Todo Q user or anyone using SMS.
Allows an application to use the account authenticator capabilities of the AccountManager, including creating accounts and getting and setting their passwords.
Use The Authentication Credentials Of An Account
Allows an application to request authentication tokens.
Manage The Accounts List
Allows an application to perform operations like adding, and removing accounts and deleting their password.
Following is a screenshot of the requested permissions in v2.0.2. Todo Q doesn't actually send e-mail, so I'll have to check on that one. It accesses the calendar for import and "add to calendar" functions. It accesses your contacts in order associate a contact to a task and use their address for the location. The SD card is for backups, and the SMS permission is the other half of "send to friend".
We need a way to pick & choose permissions at install and/or runtime. I could easily turn off features if the user didn't want to grant permission.
Todo Q v2.0.2 removes the two unused permissions and is only $1.99 on the android market.