It is none of the app's business if the "camera" it sees is actually just an animated GIF (in essence).
It is none of the app's business if the "location" information it receives says, Mountain View, California. Wow! Look how many customers live in California. :-P
In short, the app should not even get the yes/no data from the user.
But at the same time, I have a feeling that there would be frameworks popping up all over the place for recognizing spoofed settings. Yes, you'd end up with the same thing with an explicit "no" option, but the segment of users choosing "spoof" would presumably be smaller, and as such presumably the gain of an app adding functionality to detect spoofing would be smaller.
Although I personally think that the best option is, given that Android has the app store, have it part of the verification process that unrelated functionality of an app must work when functions are disabled.
Yes, and Android's isn't the only app repo that could be doing more verification (reminds one of Windows Update and FTDI, no?). To be frank, however, adding additional required verification is a huge pain for everyone, so it's going to be rare.
To avoid the pain they could roll this out only to apps that declare themselves not to be assholes. I.e., an app could promise not to degrade ungracefully under limited perms, and in return it would never get spoofed data. (All other apps would get spoofed data whenever they access an API that a user had deselected.) If a non-asshole app were ever reported by a user and verified by Android devs to degrade in a user-hostile manner, it could just be placed in the asshole category permanently.
It is none of the app's business if the "camera" it sees is actually just an animated GIF (in essence).
It is none of the app's business if the "location" information it receives says, Mountain View, California. Wow! Look how many customers live in California. :-P
In short, the app should not even get the yes/no data from the user.