July 3, 2026
When a code editor rewrites your phone's privacy settings
Cursor's iOS app reportedly changes OS-level privacy settings irreversibly. That's not a bug — it's the design philosophy of the entire AI tooling category.

Cursor is known as the AI-first VS Code fork. Smart completions, agent mode, tab-tab-tab. That’s the product on the surface.
The story this week is that installing Cursor on iOS irreversibly changes your privacy settings. The HN thread has the details.
A code editor on your phone is modifying OS-level privacy configuration, and you can’t undo it.

Your device is not your device
People installing Cursor are discovering that privacy toggles — the kind iOS makes you confirm with biometrics — get flipped and stay flipped. You get no prompt, no disclosure, and no way to recover the original state.
This isn’t a permissions bug where you accidentally granted camera access. This is an application reaching past its sandbox and rewriting system configuration that Apple explicitly designed to be user-controlled and persistent.
Cursor’s iOS app is touching the developer certificate chain or MDM-adjacent APIs that iOS exposes for enterprise management. Those APIs can set restrictions at a level that survives uninstall. That’s the irreversible part. The app leaves a residue in your OS that you cannot reach from Settings.
The tooling layer has stopped asking
The problem goes beyond Cursor.
The entire AI tooling category has adopted a posture: install us, let us wire into everything, don’t ask questions. Cursor on desktop wants shell access, filesystem access, your git history, your SSH keys. Claude Code wants run permissions. Codex wants your repo. Every agent framework wants to write to your system and execute arbitrary commands.
On desktop, I’ve made peace with this because I control the environment. My agents run on a Mac Mini. I can wipe it. I can snapshot it. I can watch what they do through Paperclip. The blast radius is contained because I built the container.

On iOS, there is no container you control. Apple controls it. And when an app reaches past Apple’s sandbox, you have lost. You don’t have root. You don’t have a recovery partition you can reflash. You have a sealed device and a setting you can’t find anymore.
Local-first means the device comes first
This is why I run my own stack. Not because I’m paranoid. Because the moment you let a third-party tool own your device configuration, you’ve ceded the one thing that makes local-first computing meaningful.
Local-first isn’t about where the data lives. It’s about who controls the execution environment. If Cursor can silently rewrite your iOS privacy settings, your phone isn’t local-first. It’s Cursor-first.
The HN thread will resolve into a patch and an apology. Some setting will get exposed, some toggle will be added, and people will move on. But the pattern is the real story. AI tooling companies are shipping agents that assume they own the platform they land on. Desktop, mobile, doesn’t matter. They’re not asking for access. They’re taking it.
When an AI coding tool asks to install on your phone, figure out what it’s actually installing into.