HannekeAug 14, 2025

Hey Fedi,

I have been wondering about this for a while, but never got around to figuring it out or testing it.

But what if
* a (ios or android) app has no location access
* you open a photo in that app
* the photo has location meta data

Does the app have access to that meta data?

Recently I learned the hard way that if you open a photo in an app, and the photo is cropped, on iOS the app gets the whole photo including the crop meta data, and NOT a cropped version of it, which I think is, or can be, a pretty big privacy risk. Given this, I fear it's the same for geolocation metadata and goodness knows what else.

Show threadGraham Sutherland / PolynomialAug 14, 2025

@h5e the Android photo picker returns a Uri to the image file, after which point the app has permissions to read it, so that would inherently give the app access to the EXIF data including geotags.

(edit: this is wrong, the downstream media APIs redact the EXIF when you use a photo picker Uri)

no idea for iOS.

Show threadHannekeAug 14, 2025
@gsuberland so the uri isn’t a modified version?
Show threadGraham Sutherland / PolynomialAug 14, 2025

@h5e oh, good point. that's poorly documented but you're right - it looks like if you're using the modern media picker and open the returned Uri using the media APIs (ExifInterface and similar) it scrubs the EXIF data, and apparently you *can* get it if you have the right permissions (media location) but the only references I can find are people on StackOverflow who can't get it working.

however if you use the older API for picking *files* it'll give you the unredacted version.

Show threadMemorion
@gsuberland @h5e https://developer.android.com/training/data-storage/shared/media#media-location-permission
Access media files from shared storage  |  App data and files  |  Android Developers

Android Developers
Aug 14, 2025 at 6:02pmWeb
Show threadGraham Sutherland / PolynomialAug 14, 2025
@Memorion @h5e yes. the stuff I found online was that this permission didn't actually work as expected on all Android versions, particularly 10 and 11. when using the new media picker, media was still returned with EXIF data removed regardless of whether or not that permission was granted. idk if this was an Android bug (there are a few tickets in that realm) or just some missing extra step that was required but poorly documented. it may well work fine on 13+.