The demo set decision that made Guard honest about iOS sandbox

What we thought we could do

We started Guard with the assumption that most privacy apps work the same way. You install the app, it scans your device, it lists all your installed apps and their permissions, and you can instantly revoke access to sensitive data. That's the mental model everyone has. That's what felt right.

The problem is iOS doesn't work that way. Apple's sandbox is designed so tightly that no third-party app can ask another app, 'What permissions do you have?' There's no system call for it. No permission exists that grants one app visibility into another app's actual permission state. The wall is by design, not accident.

We spent weeks exploring workarounds. Could we use private APIs? No. Could we hook into system logs? No. Could we build our own permission database and guess based on app behaviour? Theoretically, but it would be guesswork wrapped in false authority. That felt worse than useless. That felt dishonest.

The conversation that forced the truth

Our product lead and I sat down with a spreadsheet of all the apps we wanted to scan. Instagram. TikTok. Maps. Gmail. Spotify. We had about forty in mind. Then we asked: if we can't actually see what these apps have access to on someone's phone, what are we doing?

The answer came quickly: we can do something better. We know what these apps ask for during their onboarding. We know from their privacy labels on the App Store. We know from years of privacy research which permissions are the norm for these categories. What if instead of lying and saying we scanned your phone, we showed you a curated demo set of the most popular apps and the permissions they typically request? Then we walk you straight into iOS Settings to see what you've actually given them.

That felt like the opposite of what we'd planned. It was also honest.

The demo set becomes the product

We picked twelve apps for the Free dashboard. Mail, Maps, Instagram, Facebook, TikTok, Spotify, Photos, YouTube, Contacts, Camera, Microphone, Location. These are the ones people actually use, the ones that ask for something real. Every permission you see in Guard's dashboard is a permission that app actually requests from iOS. Every privacy risk score is based on what that app can actually do with the data it asks for.

That changes the entire framing. Guard doesn't claim to be a system-level auditor. It's a privacy educator. It shows you twelve of the apps you almost certainly have, it shows you what they ask permission for, and then it gives you a number out of 100 that reflects the real-world privacy risk if you've granted those permissions. Tap any flagged permission and we deep-link you straight into iOS Settings, where the truth lives. That's the honest product.

Personal Pro adds real-time alerts when those permissions actually change. A clipboard safety check, so you know when apps are reading what you've copied. Data exposure profiles and tracking details so you understand the full picture. But all of it builds on the same foundation: we're showing you what actually matters, not pretending to see what iOS won't let us see.

Why this decision still matters at launch

I mention this because the conversation around privacy apps is usually about features and speeds and numbers. Everyone wants to sound like they're seeing everything. We wanted to build something people could trust because it wasn't overpromising.

There are privacy apps that claim to scan your entire phone. They can't. There are privacy tools that tell you your data is completely safe. They can't know that. And there are products that obscure the limits of what they do behind marketing language.

Guard's demo set exists because iOS's sandbox is real and we decided to respect it instead of work around it. That constraint became the clarity. We can't see what your apps are actually doing behind closed doors; iOS won't let us. But we can show you what they're asking permission for. We can show you which of those permissions are risky. We can walk you to the settings where you decide. And we can alert you in real time if something changes.

That's the honest version. It turns out it's also the version that helps people actually secure their phones.

The question that led somewhere real

That engineer's question 'Can we actually see what permissions your installed apps have?' could have ended in a pivot or a quiet compromise. Instead it forced us to design around the truth instead of around what sounded impressive.

Most of what we build now flows from that single decision. Family tier with controls for six devices came next, because parents needed to understand what their children's phones were exposed to. The permission breakdown chart came because people wanted to see at a glance which categories of apps were asking for what. Clipboard safety checks came because Apple's iOS 14 update showed us people suddenly cared about this, and it was one thing iOS actually exposes to third-party apps.

Every feature we've built since has come with the same question underneath: can we actually deliver this, or are we just making it sound better than it is? That's not the sexiest design philosophy. But it's the one that meant we could sleep at night.