iOS Permissions: What Each App Really Knows About You
A breakdown of iOS permissions for non-technical users. What each authorization hides, how to check them, and why Inner Gallery doesn't request any.
"This app would like to access your photos." Do you tap Accept without thinking? Mistake. Every iOS permission grants access to specific data. Let me break down what each app really knows about you.
You download a photo editing app. It asks for access to your photos. Makes sense, right? Except that this "simple" permission gives it access to ALL your photos, their metadata (location, date, device), and it can even upload them to its servers.
Welcome to the opaque world of iOS permissions.
While developing Inner Gallery (an app that requests zero network permissions), I'm going to break down what each authorization reveals about you.
Photos: much more than images
When you grant photo access, the app can retrieve:
The images themselves: obvious, but it can copy them, analyze them, send them elsewhere.
EXIF metadata: exact location where the photo was taken, phone model, camera settings, sometimes even your name if configured.
Browsing history: which photos you look at, when, and for how long. Revealing of your interests.
Albums and organization: how you sort your memories, what matters to you.
A fitness app that asks for photos "to choose a profile picture" can actually analyze your vacations, infer your socioeconomic status, and identify the people close to you. Creepy.
Photo access doesn't mean "I can see your images." It means "I have access to your complete digital private life."
Inner Gallery manages your photos without photo permissions. How? I use PHPicker, Apple's system interface. You explicitly choose each image, and the app only sees that. Zero access to other photos, zero unwanted metadata.
Location: your permanent logbook
The location permission reveals:
Where you live: precise address inferred from your nights.
Where you work: the place you spend 8 hours a day on weekdays.
Your commutes: transportation used, schedules, habits.
Your relationships: people you see (cross-referencing locations).
Your socioeconomic profile: neighborhoods frequented, types of stores, restaurants.
Apps use 3 levels of precision:
- Precise: exact GPS (plus or minus 3 meters)
- Approximate: general area (plus or minus 100 meters)
- Never: no location at all
A weather app often requests "always" with precise accuracy. Why "always" for weather? Good question...
Contacts: your complete social graph
Contact access provides:
Names and numbers: obvious, but also emails, addresses, personal notes.
Your social network: who you know, call frequency, family/professional relationships.
Third-party data: information your contacts have shared about you (your name in their address book).
Many apps ask for contacts "to help you find your friends." In reality, they vacuum up your address book to enrich their marketing databases.
App Tracking Transparency: the iOS 14.5 revolution
Since iOS 14.5, App Tracking Transparency (ATT) explicitly asks permission to track you across apps.
Without authorization: the app cannot follow you across other apps/sites or sell your data to brokers.
With authorization: it can create a detailed advertising profile of you, follow you everywhere, and resell your data.
The pop-up "Ask App Not to Track" vs "Allow" makes all the difference. 90% of users choose "Ask App Not to Track." Facebook lost billions because of this.
ATT is the most important privacy feature on iOS. Always choose "Ask App Not to Track" unless you have a very specific reason not to.
How to check what your apps know
Settings > Privacy & Security: view all permissions granted by category.
Settings > [App] > Privacy: permissions specific to each app.
Settings > Privacy > App Privacy Report: see which data each app has accessed recently.
I recommend a monthly audit. You'll be surprised by the permissions granted to apps you no longer use.
Permissions that should raise a red flag
Microphone on a photo app: why listen if it's just for editing?
"Always" location on a utility app: does a calculator need to geolocate you?
Contacts on a game: no valid reason in 99% of cases.
Tracking allowed: unless you genuinely want hyper-targeted ads, disable it.
How developers can do better
With Inner Gallery, I made radical choices:
Zero network permissions: the app physically cannot send anything online. Impossible to track you.
Photos on demand: PHPicker instead of full access. You choose each image.
Local-only storage: your data stays on your iPhone, encrypted with your private key.
Auditable code: simple architecture, zero dependencies, predictable behavior.
These choices guarantee your absolute privacy. And if cloud sync ever arrives, the data will be encrypted client-side before leaving the device.
The future: more granularity
iOS is moving toward greater granularity. Recent examples:
Limited photo access: choose which photos to share (iOS 14+).
Approximate location: give a general area, not precise GPS (iOS 14+).
Microphone/camera in use: orange/green dots when an app is listening/recording (iOS 14+).
Apple continues to improve the Privacy Dashboard for more transparency. This is an excellent direction.
Also worth reading
- Encryption Explained Simply (for Non-Devs)
- Local-First Apps: Why I Believe in Them for Certain Products
- Why I Built Inner Gallery
To check the privacy reputation of an app, use Exodus Privacy. This tool scans Android and iOS apps for hidden trackers.
Your digital privacy is worth more than the convenience of an app. Take 30 seconds to understand what you're authorizing. Your personal data will thank you.