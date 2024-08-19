Apple Reduces Excessive Sequoia Permission Requests, Shifts to Monthly
In the latest macOS 15.0 Sequoia beta, Apple has backed off somewhat from the previous release’s radical increase in the frequency with which you would be prompted to approve permission requests from apps that need screen recording access (see “macOS 15 Sequoia’s Excessive Permissions Prompts Will Hurt Security,” 12 August 2024). At 9to5Mac, Chance Miller reports that the latest beta of macOS 15.0 (but not of macOS 15.1, which I’m running) has relaxed the policy. However, the repetitive permissions prompts, which seemingly stem from misguided thinking about how people evaluate digital risks, remain unnecessary.
In the previous macOS 15.0 beta, Sequoia would prompt users to continue allowing screen recording permissions every week for each app, as well as prompting after every restart or logout. Remember that many different kinds of apps request screen recording permissions for entirely legitimate reasons other than directly recording onscreen pixels to an image or movie file. Such apps include Adobe Photoshop, Adobe Premiere, Bartender, Default Folder X, Display Link, Google Chrome, Ice, Keyboard Maestro, Slack, Splashtop, TextSniper, and Zoom.
As of the latest macOS 15.0 beta, Sequoia triggers these additional permission prompts monthly, rather than weekly, and has dropped the additional prompts after restarting or logging out. Miller says the prompt text is now more specific:
[App name] is requesting to bypass the system private window picker and directly access your screen and audio. This will allow [App name] to record your screen and system audio, including personal or sensitive information that may be visible or audible.
Reducing the frequency of these repeated permissions prompts is a step in the right direction, but the overall change is still a mistake. A monthly schedule is less annoying than weekly prompts, but it’s more irritating than what we’re currently accustomed to, with no indication from Apple of why the purported additional security is necessary. There are instances of malware surreptitiously recording the screens of infected Macs, but most predate macOS asking the user to grant screen recording permissions, like FruitFly (2003–2017) and Mokes (2016). In 2021, XCSSET used a zero-day security exploit to bypass the permissions prompt entirely by injecting itself into legitimate apps with such permissions. Repeated prompts wouldn’t have helped in such a situation.
Also, while specificity in interface language has its place, even I don’t know what “requesting to bypass the system window picker” means, so I can’t imagine that a user less involved in the technical details of macOS would have any clue. Allowing obscure technical language to creep into a user interface is problematic on its own; putting it in a dialog meant to inform ordinary users about a potential security concern exacerbates the feelings of ignorance many people already have. Nobody who would have approved usage the first time would find themselves denying it on a subsequent occasion because of this new language. It’s far more likely that people will tune out the dialog gobbledygook and reduce their overall system vigilance.
Many hope the Persistent Content Capture entitlement, which developer Craig Hockenberry pointed out last week, could provide an exemption for approved apps. However, Apple describes it as “a Boolean value that indicates whether a Virtual Network Computing (VNC) app needs persistent access to screen capture” and has said nothing about whether it would be available to apps requesting screen recording permissions for other reasons.
Barring that, I’m sticking with my recommendation from the previous article: present the user with a “Continue to Allow” prompt several days after initially granting an app screen recording permissions. That would cause the user to think about the permissions while the app installation was still fresh and allow them to rescind permissions or remove the app if it was only for short-term use. In the hypothetical scenario where a malicious recording app is being installed by someone with admin access to the Mac, such as a domestic abuser, a randomly scheduled second prompt would be harder to conceal.
The negative reaction from developers, beta testers, and the media has already caused Apple to pull back somewhat on this feature. However, we shouldn’t see it as a compromise worth accepting in its current state because we don’t know why Apple made the poor choice in the first place. I continue to encourage you to tell Apple what you think. If you’re using the public beta of Sequoia, use Feedback Assistant to file another bug against these dialogs. Those who aren’t testing the beta can try using Apple’s Feedback page, perhaps for the Mac you plan to upgrade.
Think about Safari. When you use it to share a window on Google Meet, say, you get the system-level “select the screen element you want to share” picker. That picker is a macOS feature. The user interacts with the user to pick a window, and macOS gives Safari a video stream of that window. Safari doesn’t get access to a list of available windows, and therefore doesn’t need screen sharing permissions, as the user explicitly picks a window to share each time.
Compare this to Chrome, where the “pick a window to share” UI is built by Chrome. It needs to get access to all windows, so it needs screen sharing permissions ahead of time. It then calls the system API to get the list of windows, etc.
If you don’t use the system provided “pick a window” API, you get that warning alert. Technically speaking, that’s the SCKContentSharingPicker. See WWDC 2023 session 10136.
Aha—thanks, Avi! That makes perfect sense, but I still can’t see most ordinary users understanding it. Many of the people I do video calls with can’t reliably share screens in Zoom, much less identify an interface element as the system window picker.
If this were the only annoying thing Apple did. They use two-factor authentication for their discussion groups and the always trust this computer never sticks. It’s a discussion group not my bank account.
Frequently when I put my iPhone into my computer Apple asks if I trust this phone or computer or some such. Come on it’s the same computer and iPhone (both made by Apple) that I’ve had for more than two years. Don’t get me started. Oh, I already have.
I received a reply from Apple about this. Apparently this is an older API and there’s a newer one that developers are supposed to switch to: “As mentioned in Developer and AppleSeed for IT release notes, applications utilizing deprecated APIs for content capture such as CGDisplayStream & CGWindowListCreateImage can trigger system alerts indicating they may be able to collect detailed information about the user. Developers need to migrate to both ScreenCaptureKit and SCContentSharingPicker to prevent these alerts.”
