I’m staring at my screen, heart sinking a bit, as Insent — this innocuous little app — plucks a random text file from my Documents folder. I just toggled off its access in Privacy & Security. Supposedly. But there it is, contents displayed like I handed over the keys myself.
Zoom out: this isn’t some hacker’s exploit. It’s a demo any Mac user can run, spotlighting how Apple’s TCC (Transparency, Consent, and Control) system — their big privacy shield — crumbles under basic user intent. Twenty years covering this Valley circus, and Apple’s still peddling ‘privacy first’ while the fine print bites.
Why Does macOS Let Apps Ignore Your Privacy Toggles?
Look, you download Insent (notarized, sandboxed, no funny business). Hit ‘Open by consent.’ It asks nicely for Documents access — you grant it. Privacy settings now show it’s allowed. Fine.
Quit. Revoke that access with the toggle. Reopen, try again: blocked. Good.
But here’s the kicker — click ‘Open from folder,’ pick Documents in the dialog. Boom. Access granted, no consent needed. TCC figures you’ve ‘intended’ it. Now? ‘Open by consent’ works too. Toggle still off. Settings lie.
Once you have downloaded Insent… confirm that Documents access for Insent is still disabled in Files & Folders. Whatever you do now, the app retains full access to Documents, no matter what is shown or set in Files & Folders.
That’s straight from the demo creator, Howard Oakley. Brutal.
And it sticks. Only a nuclear Terminal command — tccutil reset All co.eclecticlight.Insent — plus a restart clears it. Per-folder quirks too: grant Desktop via dialog, Documents stays ‘blocked’ until you touch it.
Sandboxd logs spill the beans. User picks folder? TCC waves it through as ‘user intent.’ No re-prompt. Apple’s logic: dialogs = consent proxy. Smart? Cynical me says it’s a loophole they won’t patch, lest it break legit apps.
Here’s my unique take, absent from the original: this echoes 2016’s XcodeGhost saga, where notarization was Apple’s fix-all. They hyped it, devs cheered, then poof — supply chain rot. Now TCC’s the new emperor with no clothes. Prediction: Sonoma or Sequoia ships this flaw intact. Fixing means rethinking NSOpenPanel flows — chaos for devs, UI friction for users. Apple prioritizes seamlessness over ironclad privacy. Who profits? App makers, not you.
Short para for punch: Trust nothing.
Is Your Mac’s Documents Folder Actually Protected?
Short answer: sorta. TCC protects against blind grabs, sure. But any app invoking the Open panel? Game over for that folder.
Insent’s no outlier. Finder, TextEdit, whatever — they all signal ‘intent.’ Once signaled, TCC bookmarks it. Toggle off? Visual placebo. Logs confirm: sandboxd checks TCC, gets nod from prior intent, done.
Tested on Tahoe 26.4, but Ventura+ likely same. SIP on, sandbox partial — yet bypass holds.
Cynical lens: Apple’s PR spins TCC as bulletproof. ‘Pixel-perfect privacy,’ they crow at WWDC. Reality? It’s probabilistic. Good enough for normies, risky for paranoid.
Worse, no UI warns post-dialog. Settings desync. Users like you — busy, non-techies — check the pane, see ‘off,’ sleep sound. Meanwhile, apps roam.
Deep dive: TCC services like kTCCServiceSystemPolicyDocumentsFolder grant per-app, per-folder. But ‘user navigation’ via panels caches approval. Historical parallel? Windows UAC prompts evolved this way — intent heuristics over strictness. Apple apes Microsoft, quietly.
Bold call: expect third-party tools to exploit this. Password managers, note apps — they’ll ‘request’ via panels, lock in access forever. Your vault? Wide open.
Paragraph sprawl: And don’t get me started on enterprise — IT admins toggling en masse, thinking they’ve locked down. Nope. One user panel pick, and poof, fleet-wide exposure if shared app. Valley’s enterprise push (Intune dreams) hits wall here. Money trail? Security firms salivate — new ‘TCC hygiene’ tools incoming, $99/year subscriptions. Who’s cashing? Not Apple, but the cleanup crew.
But.
Fixes? Terminal reset works, but clunky. Per-app nuke via tccutil. GUI plea: Apple, add ‘Revoke All Intents’ button. Dream on.
How Bad Is This for Everyday Mac Users?
Not Armageddon. Casual apps rarely list Documents raw. But photo editors, backups? Risky.
Me? I’ve quarantined sketchy downloads since ‘05. You should too.
Unique insight redux: this undermines Apple’s ‘differential privacy’ halo. They fund research, tout on-stage — yet core OS betrays. PR spin: ‘Best privacy in world.’ Veteran gut: marketing, not engineering priority.
🧬 Related Insights
- Read more: Warden v2.0: Free CLI That Sniffs Out Malicious npm Packages in Seconds
- Read more: React Labs Finally Lifts the Lid on Years of Secret Dead Ends
Frequently Asked Questions
What does Insent app demonstrate on macOS?
It shows how Privacy settings don’t block folder access after an Open panel selection, even with toggles off.
How to fully revoke app access to Documents on macOS?
Run tccutil reset All co.eclecticlight.Insent in Terminal, then restart your Mac.
Does this macOS privacy bug affect all versions?
Likely from macOS 13.5+, tested on 26.4; check with Insent.
