$4.$ An $$Application A$$ makes an API call to email handling $$Application B$$ to generate a to$-$do list from user flagged emails. However, the developer also provides read access to the contact list which is not required by the $$Application A$.$ Which secure coding principle must be applied by developers to reduce the security risks posed by this unused access rights.

how to mitigate this problem