apple-notes-security-basics

# Apple Notes Security Basics ## Overview Apple Notes security involves three layers: macOS TCC (Transparency, Consent, and Control) which gates which apps can send Apple Events to Notes.app, the macOS sandbox that prevents direct database access, and iCloud encryption that protects notes in transit and at rest. For automation scripts, the primary security concerns are: preventing unauthorized Apple Events access, securing exported note data, avoiding credential leakage in scripts, and understanding the difference between standard and end-to-end encrypted (locked) notes. ## Security Checklist - [ ] Scripts run only locally (never expose osascript to network input) - [ ] No note content written to log files (may contain PII or secrets) - [ ] TCC permissions scoped to specific apps only (not blanket approval) - [ ] Exported notes stored with restrictive permissions (`chmod 600`) - [ ] iCloud account uses two-factor authentication - [ ] Automation scripts do not hardcode note content or search terms - [ ] Temporary files cleaned up after processing (`trap` on exit) - [ ] Locked (encrypted) notes handled separately (cannot be read via JXA) ## TCC Permission Management ```bash # Check current TCC grants for Apple Events sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db \ "SELECT client, allowed, auth_reason FROM access WHERE service='kTCCServiceAppleEvents';" \ 2>/dev/null || echo "Cannot read TCC.db — SIP is active (this is expected)" # Reset all Apple Events...