(no title)

I assume they don't expose it to users because once most people start to do that apps would start to implement detections, like if it spoof your location to a certain area then that area will get you "permission denied" error anyway, or I believe some apps do check that if your contact book is empty it assume you didn't give the permissions. It'd become a lot of work to implement a convincing spoof for most permissions to be blocked.