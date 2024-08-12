macOS 15 Sequoia’s Excessive Permissions Prompts Will Hurt Security
I rarely write about Apple’s betas because something significant may change between when I publish an article and when Apple updates the beta or releases the production version. I don’t want to waste your time or mine.
But it’s a different story when things should change, as is the case with what feels like one of Apple’s biggest potential missteps currently in the macOS beta—one from which it could still pull back. macOS 15 Sequoia constantly asks for permission to reauthorize apps that rely on screen recording, which is true of many utilities beyond screenshot apps. It’s bad for usability, increases user frustration, and decreases security awareness.
Continue to Allow
A few days after installing the developer beta of macOS 15.1 Sequoia on my M1 MacBook Air, I realized something was very wrong. I rely on CleanShot X for the many screenshots I take while writing TidBITS and TCN articles, and I wasn’t surprised on my first use after upgrading to be asked if I wanted to continue granting CleanShot X permission to capture my screen. After a complete operating system upgrade, I can see Apple’s desire to have us verify previously granted permissions we hadn’t thought about in a while. (For some people, that’s when they discover they’re still running a utility or other app they haven’t used in years.)
However, I was taken aback to receive the same prompt again a short time later. And increasingly irritated when I was asked again after another day or two. And again. And again. Eventually, with my usability hat aflame, I decided to write something about it and tried to capture a screenshot of the dialog. That proved tricky because until I clicked Continue To Allow (and yes, the Apple Style Guide’s rules on capitalization clearly state that it should be “Continue to Allow”), CleanShot X didn’t have permission to capture a screenshot. Triggering a screenshot stacked a second dialog on top of the first, and macOS stopped responding for a few minutes. Eventually, I was able to click Continue To Allow in both dialogs and continue working. The problem was that CleanShot X was capturing all mouse clicks as I tried to select the dialog for the screenshot, so I couldn’t properly click Continue To Allow. The correct way to capture these screenshots was to press Escape to cancel CleanShot X’s screenshot-capturing mode and use Apple’s built-in screenshot tools, which, unsurprisingly, require no permissions. Weirdly, it turns out that clicking Open System Settings has the same effect as Continue To Allow, and System Settings provides no additional information explaining the request.
Before I finished writing this piece, Chance Miller at 9to5Mac published “macOS Sequoia adds weekly permission prompt for screenshot and screen recording apps.” He does a good job covering the situation, noting that this prompt repetition is intentional on Apple’s part, not a bug. The prompts recur weekly, whenever you reboot, or, as I discovered, when you log out and log back in. Although an update to Miller’s article quotes well-known developer Craig Hockenberry as noting that there may be an entitlement developers can request from Apple to sidestep these prompts, the company has shared no information about that. Michael Tsai has also captured the outrage from the Mac development community, and Jason Snell, John Gruber, and Nick Heer have weighed in.
While I mostly encountered these dialogs using a screenshot app, many apps request the Screen & System Audio Recording permission in macOS to identify and position onscreen interface elements or perform other tasks. A few of these include Adobe Photoshop, Adobe Premiere, Bartender, Default Folder X, Display Link, Google Chrome, Ice, Keyboard Maestro, Slack, Splashtop, TextSniper, and Zoom. If Apple continues down this path with Sequoia, there will be a lot of approvals to acknowledge every week or more frequently.
Security Through Endless Warning Dialogs
Many have decried the increase in permissions prompts over the past few years. In “Mojave’s New Security and Privacy Protections Face Usability Challenges” (10 September 2018), security expert Rich Mogull presciently wrote:
Balancing security notifications and authorization requests is notoriously tricky. Prompt users too often and they will both become annoyed and reflexively click OK. A security feature has failed when the noise of so many alerts leads users to stop reading them—and that eventually leads to malware asking for and receiving authorization. It’s a modern-day version of “The Boy Who Cried Wolf.”
We’ve already passed the point of security alert overload. The first time or two that the Sequoia beta prompted me to reauthorize, I admit that I didn’t read the text of the alert beyond determining that I should click Continue To Allow to capture the screenshot I needed for whatever I was writing. The dialog came in direct response to the keyboard shortcut I had just pressed, and I have used and trusted CleanShot X for years. It wasn’t until the dialog popped up a few more times that I read it closely to see if I was missing something. I wasn’t.
Apple seems to assume that all third-party apps that monitor the screen (or audio) could be malicious. That may not be a problematic foundation on which to develop a security framework, but it’s patently not the case in the real world. I’d guess that over 99% of apps on all Macs are legitimate for the simple reason that no one intends to install a malicious app or run it regularly.
There have been isolated examples of updates to legitimate apps being compromised (Transmission and Handbrake), but those were in 2016 and 2017—it’s just not an everyday concern. We also recently saw the kerfuffle with Bartender, which had long required screen recording permissions, being sold to a new owner without notifying users (see “Bartender Developer Explains and Apologizes for Quiet Acquisition,” 5 June 2024). In none of these cases would extra prompts have made any difference because users had no way of knowing that anything had changed.
By prompting for continued permission, Apple is asking if we still trust previously trusted apps. What would change in any short period of time that would have us reconsider this action? We would need new information to make a different choice. I could see an argument for double-checking permissions a few days after the first launch to ensure the user knows the app is still active, but repeated checks? After every restart?
It made sense when Apple added location permission alerts in iOS that appear occasionally after weeks or months of background location access. The alert shows how many times you’ve been tracked, shows a map with locations your device has provided, and lets you take a sensible action. The dialog lets you switch location permissions to “only while using.” Perhaps you had forgotten you gave an app permission during a trip and didn’t realize it continued tracking you at home. Maybe you don’t remember installing and giving that app permission at all. Whatever the case, the process makes sense—and it pops up only rarely.
Adding protections against virtually non-existent threats and providing warnings without a sensible action that can be taken actively harms the Mac experience. More than one writer has brought up the specter of Windows Vista, which became known for excessive security dialogs and prompted mockery from Apple. Like most Mac users, I never used Windows Vista when it shipped in 2007, so these second-hand comparisons felt fuzzy until I dug up this 2006 piece from Stack Overflow and Discourse co-founder Jeff Atwood. He warned that “security through endless warning dialogs” doesn’t work for exactly the reason that has proved to be true:
All those earnest warning dialogs eventually blend together into a giant “click here to get work done” button that nobody bothers to read anymore. The operating system cries wolf so much that when a real wolf—in the form of a virus or malware—rolls around, you’ll mindlessly allow it access to whatever it wants, just out of habit.
It’s depressing to see Apple recapitulating Microsoft’s mistakes from over 15 years ago.
Apple’s Actual Motivation?
I’m left wondering why Apple is adding these additional permissions prompts. The cheap answer is that Apple’s security team believes that apps regularly go over to the dark side within a week and we will figure that out by getting a prompt to remind us that we have already granted it screen-recording permissions. But that’s patently stupid. If the user trusts an app on Monday and nothing changes with that app by the following Monday, there’s no reason to doubt the previous trust level. If there were, Apple should use its anti-malware systems to block the app from running at all, right?
Perhaps the change was prompted by the success of how Apple quietly ratcheted up the passcode requirements for Touch ID and Face ID a while back. In addition to other cases in which you had to enter a passcode for an iPhone or iPad (or a password for a Mac), such as after restarting, Apple added a 6.5-day countdown clock that starts every time you enter your passcode. After that period elapses, a second 4-hour timer starts: if you don’t unlock your device with Touch ID or Face ID within that period, you are prompted to enter your passcode the next time you use it. Although it’s a slight annoyance for users to enter their passcodes at least once per week, it’s an overall security win because the routine reinforcement helps ensure that people don’t forget their passcodes.
However, with permissions prompts, routine reinforcement is unnecessary and excessive, and it desensitizes us to essential security warnings. Plus, computers should save us from repetitive work, not give us more unnecessary buttons to press.
We can hope that the public outcry will cause Apple to rethink this problematic path, but additional direct user complaints will also help. If you’re using the public beta of Sequoia, use Feedback Assistant to file a bug against these dialogs. Those who aren’t testing the beta can try using Apple’s Feedback page, perhaps for the Mac you plan to upgrade.
I look forward to Maps, when I start a route to somewhere Apple considers unsafe, asking me to confirm that I really want to go there, and not letting me do anything on my iPhone until I’ve answered. And doing the same thing every time I want to go there subsequently.
There is a similar annoying problem.
Any time I backup my iPhone to my MacBook via the Finder or via iMazing the following message appears on the iPhone
Trust This Computer?
Enter passcode to trust this computer
and start a backup.
meaning that I trust my MacBook only this one time, and have to repeat the trust statement again and again.
This has an additional negative consequence: automatic backups via iMazing are no longer possible,
I get the prompts every time after the machine wakes up from sleep. It is very annoying, to say the least.
Yes! We wrote about that a while back.
Interesting. I thought I’d gotten them more frequently than every restart or logout, but when I explicitly tested sleeping, I didn’t get the dialogs. I wonder if there’s something else combined with sleep that triggers them.
It might be worthwhile for everyone that is impacted by this to provide feedback to Apple indicating that this “feature” severely impacts productivity and usability of macOS and needs to be re-evaluated. (It’s been done in the past).
Providing examples of applications that would generate these prompts and keeping the feedback fact-based – eschewing the outrage – might get Apple’s attention if enough of us do this. I, for example, use VMware Fusion which needs screen recording privileges - and it would be an extreme annoyance to re-authorize the function on any regular basis.
Perhaps the ability to permanently white-list applications, or provide application-by-application control would be preferable than this blanket “authorize everything after 1 week”.
The issue with iPhone backups carries another security weakness that I’ve not seen mentioned before. When you manually request a backup from your Mac, or if you have it set up for automatic backups to your Mac (which is still possible to do with iMazing—you just have to enter the passcode every time), you’ll get the passcode pop-up—without anything identifying the computer requesting the backup.
That is, it asks you if you trust an unnamed, unspecified computer that’s requesting a backup. Am I the only one who can see ways for this to go very wrong?
It shouldn’t bother me for wired backups; after all, I’m going to be sitting at the computer, and I can see the USB cable connecting the device to my Mac. But the pop-up is identical for wired and wireless backups, and does not indicate which the request is.
This means that, in theory, if a bad actor in or near your household or office was able to associate your iPhone with their computer, it’s conceivable that they could time a wireless backup request from their Mac to whenever you’re about to do a wired backup to your own Mac. As long as they don’t jump the gun, the timing doesn’t have to be perfect, as it can take up to several seconds for the prompt to appear on the device. Since the pop-up doesn’t indicate the requesting computer or the manner in which the backup is to be conducted, you have nothing to alert you that this request is not your own.
While I have trust that Apple’s security measures would make this kind of interception difficult, I don’t trust that it’s impossible or even impractical to attempt. The data thief could be an obnoxious roommate, a partner who suspects you of cheating, a business colleague who wants to sabotage you, or any number of other close-to-you people. If you’re an “important person”, the data on your phone might be worth an outsider specifically targeting in this manner.
You also have no assurance that the pop-up is genuine. There is nothing about it that can’t be replicated by an app. So instead of raw data theft, the culprit could just be after your passcode. Granted, this is a bit less likely, because it requires the perpetrator to know when you have automatic backups scheduled, which even social engineering might find tricky. But it’s not outside of the realm of possibility, especially for a person close to you, like those I mentioned above.
I’ll grant this this may seem like an unlikely possibility altogether, cybersecurity concerns shouldn’t be limited to only the probable. The improbable is attempted more often than most people would think. What matters isn’t so much the probability of the method succeeding as it is the motivation someone else has to mess with you.
Apple could easily alleviate this concern by adjusting the passcode prompt to give the name of the computer requesting a backup and whether it’s wired or wireless. That data should already be received by the device as part of the backup request, so there’s no real reason it can’t be shared with the user. While it wouldn’t eliminate the possibility of this kind of attack happening, it would add steps to the attack that would deter some from trying it.
Constantly treating users like idiots, destroying their productivity, ultimately does not lead to better security. It leads the user to NOT trust (in fact, to hate) the very entity who is trying to protect them. It’s an ignorant case of the boy who cried wolf.
I agree! Overuse of security, including forcing password reentry and alternate authentications, causes decreased security overall.
I installed Sequoia 15.1, Beta 2 this afternoon. Apple changed the “Open System Settings” button to read “Allow for One Week” instead. It’s a lot less annoyance.
I’m perpetually debating deleting iMazing given this nuisance.
IMazing is only following Apple backup procedures. I don’t thing they like the requirement anymore than we do. I do agree that too much security layers leads people to not bother at all.
