(no title)

> but you cannot distinguish between limited access and full access

I believe you can check whether you received limited photos access: https://developer.apple.com/documentation/photokit/phauthori...

I recently tried using Sony's (frustrating) Imaging Edge app to transfer photos from a camera to an iPad and gave it limited access and it refused to transfer images! When I changed the permissions to full access it worked. So there must be some difference, maybe not an obvious one.

I think they're just full-on mistaken, and it is possible for the app to distinguish between access levels: https://developer.apple.com/documentation/photokit/phauthori...

I suppose they could select a random location within the country/state. Even select it with population weight so that the app would struggle to infer if it was being spoofed. As with any spoofing, it would be necessary to store some state for each app, and generate locations similar to the last one (but not too similar. Random weighted walk maybe, weighted towards some randomly chosen "home" and "work" and hangout places, ideally based at actual buildings in the right districts?)

If you want to go even harder you could try to do the same with images. Generate some basic images of typical snapshot scenes with some AI model, and further postprocess the pixel data to try and give it a statistical distribution that looks like a real camera rather than AI. Add some realistic EXIF too. Doing this on demand may be quite expensive, so the phone could pre-fill a cache of fresh images during quiet hours or something

This all sounds very excessive, but I will give Apple credit and say they're one company who I could actually see going to these lengths if they decided they wanted it

Almost certainly isn't good enough if your app has tens of thousands of users, what if someone got a new device and didn't restore a backup? I've met many people who wouldn't know how to transfer data from an old device

You can also select a subset of pictures to grant the app access to, which makes the heuristic fall apart if you properly manage it as a user.

They are wrong; you can determine whether you have permission in iOS. For location, you have CLAuthorizationStatus:

https://developer.apple.com/documentation/corelocation/claut...

In any case, the iOS location services don’t work that way. You can’t call them and get a location back due to the way the system works. It simply doesn’t have location data at times and needs to wait for it to become available. You tell the operating system you want to receive location updates and then it delivers zero or more when that information becomes available and when it becomes more accurate or changes. So if iOS needed to withhold information, it wouldn’t have to give an empty object back, it would just not deliver any location updates at all.