I honestly don't understand why this is a problem. Isn't it enough that the app says it requires my location when I install it?
If you don't like the required permissions no one is forcing you to install it.
Popular apps can essentially request any permission and you'll still download it — are you really going to forgo having Facebook on your phone because it asks for a couple of slightly-objectionable permissions?
On iOS, the average user has a chance to download that mainstream app and deny it access to their contacts.
It sounds to me like the question was supposed to read
> are [most people] really going to forgo having Facebook [...]
There will certainly always be people who do pay attention to permissions for privacy or security reasons, but they seem* vastly outnumbered by the people who don't.
* Just an intuitive sense, I have not looked for data to back this up.
The point is valid, but it still doesn't address the 'general population' problem - how do you get the users to care about their security/privacy? Giving fine-grain control over permissions is a fantastic idea.. but then you realize that the 'general population' that you made this for will never touch those settings, so it's no different than telling users what permissions an application will take.
Also, the development cost of 'does this feature exist?' for each permission is pretty high.
Google badly obfuscated permissions in a recent Play store update.
Where before it listed each permission, and required a manual approval of any was added in a app update, it now only list categories.
And it will only require manual approval if a new category is added.
And the categories are wide enough that someone can add an innocuous permission initially, and then push a update some time later that gives them virtually free reign of the user data.
On iOS, the average user has a chance to download that mainstream app and deny it access to their contacts.