What does startAccessingSecurityScopedResource() actually do?

Question

I'm making a sandboxed Mac app, and I used NSOpenPanel to get a file URL, and saved it to UserDefaults as a security-scoped bookmark. When I quit and restart the app, I can resolve that blob of Data into a URL again.

The documentation says I should call startAccessingSecurityScopedResource(), and check its return value. (That does return true when I call it.) But if I don't call that, I've still got a resolved URL, and I still appear to have permissions to access it.

What does startAccessingSecurityScopedResource() actually do? Is there anything bad that can happen, if I don't call it?

Answer 1

As long as your app only accesses files in standard locations (Downloads, Music Movies, Pictures) and you included the required entitlements for programmatic file and folder access in your app, you don't need to store security scoped bookmarks for those locations.

But for other locations that should remain accessible after the app has been restarted, you should store security scoped bookmarks and call startAccessingSecurityScopedResource() before access. If you skip that step, you'll get an exception as soon as you try to access that file.

startAccessingSecurityScopedResource() makes the security scoped bookmark's resource available to your app's sandbox thus granting you access to that resource.

Answer 2

startAccessingSecurityScopedResource is a method used on macOS and iOS to access security-scoped resources. These resources refer to files or directories that your application does not have direct access to due to security restrictions, such as file locations in App Group containers or files in system-protected locations.

The startAccessingSecurityScopedResource method is used to request temporary access to these scoped security resources, allowing your application to access them for a limited period of time, usually until your application finishes its work with the resource. This is useful to ensure that your application can work with these resources without violating system security restrictions.

For example, the following path for a .kml file would be:

file:///private/var/mobile/Containers/Shared/AppGroup/XXXXXXXX/File%20Provider%20Storage/example_file.kml

It is IMPORTANT to remember to stop access to the resource using stopAccessingSecurityScopedResource once you have finished using it to free up resources and maintain good security and permissions management.

Below we see a simple example of use:

import Foundation

// Get the URL of the file within the App Group container
if let fileURL = FileManager.default.containerURL(forSecurityApplicationGroupIdentifier: "com.yourcompany.yourappgroup")?.appendingPathComponent("example_file.kml") {
    
    // Request temporary access to the security-scoped resource
    let accessGranted = fileURL.startAccessingSecurityScopedResource()
    
    if accessGranted {
        do {
            // Safely access the file
            let fileContents = try String(contentsOf: fileURL, encoding: .utf8)
            print("File contents: \(fileContents)")
        } catch {
            print("Error reading the file: \(error.localizedDescription)")
        }
        
        // Stop accessing the resource after use
        fileURL.stopAccessingSecurityScopedResource()
    } else {
        print("Failed to obtain access to the security-scoped resource.")
    }
}