You don't need that permission if the user gives their implicit consent by selecting the Documents directory in the browse window. That's why most apps don't even show up in the Privacy Settings at all. Most apps don't need that, because they don't try to access that directory on their own. They only do it when the user selects the directory.
I guess the improvement can be to show the implicit consent in the privacy settings page as well, and have a way to revoke it.
Yeah, it's less of a "GOTCHA!" and more of a weird use case that Apple engineers probably didn't think through all the way. Doesn't seem like a difficult fix at all.
If the app opens a window and prompts the user to select a directory to save a file or load a file, should that access be recorded in the privacy settings page? I'd argue that maybe there should be a verbose version of the privacy settings page, where if you _really_ want to you can see every dir that every app has ever accessed, but the vast majority of users don't care.[0]
I'm less caffeinated this morning though so maybe I misread the whole argument.
[0] edit: And whether the app still has access to that dir. Which maybe that was the point of the article. I am just skeptical generally of these kinds of exposés because while they're generally pretty fair, they'll inevitably get picked up by the geniuses on r/pcmasterrace who will spin it into "Apple Privacy and Security Settings Let Terrorists Invade Your Family Photos"
I don't think any long-term implicit consent is acceptable. I would not expect that after opening one document in a folder without being shown any permission prompt, that permissions have been permanently altered. I would never even go look to see if it was "implicitly permitted".
Without a prompt or notice, I would expect only that the app has access to the file or directory I chose until the app is closed/quit.
Why should the permission even persist that long? You might leave that app running for the next two years.
Shouldn't a temporary access be temporary? Possibly scoped by time? Possibly scoped to a single access?
Because the app may generate more than one descriptor for it or perform more than one read or write operation in the normal course of usage. If I open a document, and come back to it 6 hours later and click the save button, I would expect it to save the document.
How would the app be able to reopen the file then?
It would ask for permission.
Every time you relaunch the app?
It depends on the app whether that would make sense. If it is document centric, then yes. The user should explicitly open every time. If it doesn't make sense for the user to open it every time, it should ask for permanent permission and that should be recorded in system settings where it can be removed.
The real problem with this isn't so much that it doesn't show the implicit consent. That would be nice but not a big deal. It's that it shows explicit non-consent that is getting ignored.