I get 114 credentials, which, I assume, it pulls out of Keychain.
OK, Dave, I got 225. And indeed it does look like they come out of
Keychain. You're getting closer to convincing me.
But I find it hard to believe that the system would give your app the
credential without at least one of those dialog boxes that says
Dave's App wants access to keychain item blahblah.
Do you want to allow access to Dave's App?
[ ] Always allow
Unless....
Open Keychain access, find the item that you think your app is using,
doubleclick, then click the Access Control tab. Is your app listed
as having access? If so, then yes you're correct. (How did it get
in there???) The solution is to remove the access. You can do it
manually if this was a one-time fluke, or if necessary to do
programatically try SecACLRemove().
