Until Android Q - FTC PDF says some Android apps harvest location data from PHOTOs & WIFI even after you deny permissions

Researchers found at least 1,325 Android apps (of 88,000 tested apps) still
harvest data even after you explicitly deny permissions.
https://www.ftc.gov/system/files/documents/public_events/1415032/privacycon2019_serge_egelman.pdf

The apps gather information such as location, even after owners explicitly
say no.

Google says a fix won¢t come until Android Q.
https://www.cnet.com/news/more-than-1000-android-apps-harvest-your-data-even-after-you-deny-permissions/

Information obtained includes geolocation & phone identifiers.

Researchers told the FTC:
"If app developers can just circumvent the system, then asking consumers
for permission is relatively meaningless."

The 1,325 apps that violated permissions on Android used workarounds hidden
in its code that would take personal data from sources like Wi-Fi network
and router MAC address connections and location metadata stored in photos.

For example, Researchers found that Shutterfly, a photo-editing app, had
been gathering GPS coordinates from photos and sending that data to its own
servers, even when users declined to give the app permission to access
location data.

Android Q will address the issue by hiding location information in photos
from apps and requiring any apps that access Wi-Fi to also have permission
for location data.

However, 13 apps of the 88,000 tested, were relying on other apps that were
granted permission to look at personal data, piggybacking off their access
to gather phone identifiers like your IMEI number. These apps would read
through unprotected files on a device's SD card and harvest data they
didn't have permission to access. So if you let other apps access personal
data, and they stored it in a folder on the SD card, these spying apps
would be able to take that information. 153 apps had this capability.