When Apple introduced its new privacy protection regime in Mojave, there were widespread cries of anguish. Strangely, over the last couple of weeks, few seem to have revisited those issues. Yet they are highly relevant to the vulnerabilities in Zoom and other conferencing software which have dominated macOS news over that period.
Zoom’s first response when challenged by the public disclosure of the vulnerabilities was to blame changes in Safari:
“Second, when Zoom is installed on a Mac device by the user, a limited-functionality web server that can only respond to requests from the local machine is also installed on the device to help launch Zoom meetings. This is a workaround to a change introduced in Safari 12 that requires a user to confirm that they want to start the Zoom client prior to joining every meeting. The local web server enables users to avoid this extra click before joining every meeting. We feel that this is a legitimate solution to a poor user experience problem, enabling our users to have faster, one-click-to-join meetings. We are not alone among video conferencing providers in implementing this solution.”
So much of the problem was, Zoom claimed, their response to a user protection. However inappropriate you might think their solution, that stresses the importance of getting both the interface and protection right. If Apple overdoes it, then some developers at least will put users at risk in order to produce what they see as a better solution.
What Zoom interestingly didn’t mention was Mojave’s new privacy regime, and the need to add its app to the Microphone and Camera lists of the Privacy tab in the Security & Privacy pane, something to which the Zoom app draws attention.
Apple’s much-criticised privacy regime could actually pay off for users in this case. If you had been one of the many who had installed Zoom’s original software, then later removed it, one of the dangers was that its hidden web server would download and install the client at any time in the future. Provided that you disabled access for the app to your camera and microphone before uninstalling it, then any reinstalled client has to go through the same consent procedure as if it hadn’t been installed before.
However, the privacy regime doesn’t (as I had originally written here) automatically remove uninstalled apps from its database, even though they’re no longer shown in the consent lists visible in the pane. If you simply uninstall the old app without removing your consents first, and the app is reinstalled without your being aware, it regains the same levels of access that it had before.
Apple denies apps any access to their listing in the privacy database or pane, so developers are unable to help address this. Apple also makes it impossible for you to change your consent to apps which aren’t installed any longer, so the only way you could go back and fix this would be to reinstall the app, remove your consents, then uninstall it again, which is absurdly messy.
I’m not aware of Apple warning users to remove privacy consents for apps before uninstalling apps which have been added to privacy consent lists, and this is an important issue which needs to be considered by Apple in the evolution of its privacy regime in future.
Go back a couple of years, before this protection was introduced, and a silently reinstalled app couldn’t have faced any such barrier. For once, what we have been complaining about could protect the user’s interests, even though there’s nothing to detect or block the hidden web server.
But astute observers will know that isn’t the end of the issue, as one app in particular gains access to both Camera and Microphone, but never appears in the Privacy lists: FaceTime. Even though my Camera access list is empty, FaceTime is turned on without so much as a mention here. Unlike any third-party app, it is allowed to control access itself.
As we move closer to the release of Catalina, with its enhanced privacy regime, Apple has to be extremely careful to avoid pushing some developers to the point where they sacrifice security for the sake of reducing friction for the user. For the Zoom affair has demonstrated that controlling access to the camera is straightforward, but detecting a hidden web server is far tougher, and removing it from all Macs is costly.
(Thanks to Jeff Johnson @lapcatsoftware for pointing out that manual removal from privacy lists is required to prevent reinstalled apps from being granted the same access as before – a very important point.)