Reprinted from TidBITS by permission; reuse governed by Creative Commons license BY-NC-ND 3.0. TidBITS has offered years of thoughtful commentary on Apple and Internet topics. For free email subscriptions and access to the entire TidBITS archive, visit http://www.tidbits.com/ macOS 15 Sequoia's Excessive Permissions Prompts Will Hurt Security Adam Engst I rarely write about Apple's betas because something significant may change between when I publish an article and when Apple updates the beta or releases the production version. I don't want to waste your time or mine. But it's a different story when things should change, as is the case with what feels like one of Apple's biggest potential missteps currently in the macOS beta'one from which it could still pull back. macOS 15 Sequoia constantly asks for permission to reauthorize apps that rely on screen recording, which is true of many utilities beyond screenshot apps. It's bad for usability, increases user frustration, and decreases security awareness. Continue to Allow A few days after installing the developer beta of macOS 15.1 Sequoia on my M1 MacBook Air, I realized something was very wrong. I rely on [1]CleanShot X for the many screenshots I take while writing TidBITS and TCN articles, and I wasn't surprised on my first use after upgrading to be asked if I wanted to continue granting CleanShot X permission to capture my screen. After a complete operating system upgrade, I can see Apple's desire to have us verify previously granted permissions we hadn't thought about in a while. (For some people, that's when they discover they're still running a utility or other app they haven't used in years.) However, I was taken aback to receive the same prompt again a short time later. And increasingly irritated when asked again another day or two. And again. And again. Eventually, with my usability hat aflame, I decided to write something about it and tried to capture a screenshot of the dialog. That proved tricky because until I clicked Continue To Allow (and yes, the [2]Apple Style Guide's rules on capitalization clearly state that it should be 'Continue to Allow'), CleanShot X didn't have permission to capture a screenshot. Triggering a screenshot presented a second stacked dialog, and macOS stopped responding for a few minutes. Eventually, I was able to click Continue To Allow in both dialogs and continue working. The problem was that CleanShot X was capturing all mouse clicks as I tried to select the dialog for the screenshot, so I couldn't properly click Continue To Allow. The correct way to capture these screenshots was to press Escape to cancel CleanShot X's screenshot-capturing mode and use Apple's built-in screenshot tools, which, unsurprisingly, require no permissions. Weirdly, it turns out that clicking Open System Settings has the same effect as Continue To Allow, and System Settings provides no additional information explaining the request. Before I finished writing this piece, Chance Miller at 9to5Mac published '[3]macOS Sequoia adds weekly permission prompt for screenshot and screen recording apps.' He does a good job covering the situation, noting that this prompt repetition is intentional on Apple's part, not a bug. The prompts recur weekly, whenever you reboot, or, as I discovered, when you log out and log back in. Although an update to Miller's article quotes well-known developer Craig Hockenberry as noting that there may be an entitlement developers can request from Apple to sidestep these prompts, the company has shared no information about that. Michael Tsai has also captured the [4]outrage from the Mac development community, and both [5]John Gruber and [6]Nick Heer have weighed in. While I was using a screenshot app, many apps request the Screen & System Audio Recording permission in macOS to identify and position onscreen interface elements or perform other tasks. A few of those include Adobe Photoshop, Adobe Premiere, Bartender, Default Folder X, Display Link, Google Chrome, Ice, Keyboard Maestro, Slack, Splashtop, TextSniper, and Zoom. If Apple continues down this path with Sequoia, there will be a lot of approvals to acknowledge every week or more frequently. Security Through Endless Warning Dialogs Many have decried the increase in permissions prompts over the past few years. In '[7]Mojave's New Security and Privacy Protections Face Usability Challenges' (10 September 2018), Rich Mogull presciently wrote: Balancing security notifications and authorization requests is notoriously tricky. Prompt users too often and they will both become annoyed and reflexively click OK. A security feature has failed when the noise of so many alerts leads users to stop reading them'and that eventually leads to malware asking for and receiving authorization. It's a modern-day version of 'The Boy Who Cried Wolf.' We've already passed the point of security alert overload. The first time or two that the Sequoia beta prompted me to reauthorize, I admit that I didn't read the text of the alert beyond determining that I should click Continue To Allow to capture the screenshot I needed for whatever I was writing. The dialog came in direct response to the keyboard shortcut I had just pressed, and I have used and trusted CleanShot X for years. It wasn't until the dialog popped up a few more times that I read it closely to see if I was missing something. I wasn't. Apple seems to assume that all third-party apps that monitor the screen (or audio) could be malicious. That may not be a problematic foundation on which to develop a security framework, but it's patently not the case in the real world. I'd guess that over 99% of apps on all Macs are legitimate, for the simple reason that no one intends to install a malicious app or run it regularly. There have been isolated examples of updates to legitimate apps being compromised ([8]Transmission and Handbrake), but those were in 2016 and 2017'it's just not an everyday concern. We also recently saw the kerfuffle with Bartender, which had long required screen recording permissions, being sold to a new owner without notifying users (see '[9]Bartender Developer Explains and Apologizes for Quiet Acquisition,' 5 June 2024). In none of these cases would extra prompts have made any difference because users had no way of knowing that downloads were compromised or that an app had a new owner. By prompting for continued permission, Apple is asking if we still trust previously trusted apps. What would change in any short period of time that would have us reconsider this action? We would need new information to make a different choice. I could see an argument for double-checking permissions a few days after the first launch to ensure the user knows the app is still active, but repeated checks? After every restart? It made sense when Apple added location permission alerts in iOS that appear occasionally after weeks or months of background location access. The alert shows how many times you've been tracked, shows a map with locations your device has provided, and lets you take a sensible action. The dialog lets you switch location permissions to 'only while using.' Perhaps you had forgotten you gave an app permission during a trip and didn't realize it continued tracking you at home. Maybe you don't remember installing and giving that app permission at all. Whatever the case, the process makes sense'and it pops up only rarely. Adding protections against virtually non-existent threats and providing warnings without a sensible action that can be taken actively harms the Mac experience. More than one writer has brought up the specter of Windows Vista, which became known for excessive security dialogs. Like most Mac users, I didn't use Windows Vista when it shipped in 2007, so these second-hand comparisons felt fuzzy until I dug up [10]this 2006 piece from Stack Overflow and Discourse co-founder Jeff Atwood. He warned that 'security through endless warning dialogs' doesn't work for exactly the reason that has proved to be true: All those earnest warning dialogs eventually blend together into a giant 'click here to get work done' button that nobody bothers to read anymore. The operating system cries wolf so much that when a real wolf'in the form of a virus or malware'rolls around, you'll mindlessly allow it access to whatever it wants, just out of habit. It's depressing to see Apple recapitulating Microsoft's mistakes with Windows Vista from over 15 years ago. Apple's Actual Motivation? I'm left wondering why Apple is adding these additional permissions prompts. The easy answer is that Apple's security team believes that apps regularly go over to the dark side within a week and we will figure that out by getting a prompt to remind us that we have already granted it screen-recording permissions. But that's patently stupid. If the user trusts an app on Monday and nothing changes with that app by the following Monday, there's no reason to doubt the previous trust level. If there were, Apple should use its anti-malware systems to block the app from running at all, right? Perhaps the change was prompted by the success of how Apple quietly modified the [11]passcode requirements for Touch ID and Face ID a while back. In addition to other cases in which you had to enter a passcode for an iPhone or iPad (or a password for a Mac), such as after restarting, Apple added a 6.5-day countdown clock that starts every time you enter your passcode. After that period elapses, a second 4-hour timer starts: if you don't unlock your device with Touch ID or Face ID within that period, you are prompted to enter your passcode the next time you use it. Although it's a slight annoyance for users to enter their passcodes at least once per week, it's an overall security win because the routine reinforcement helps ensure that people don't forget their passcodes. However, with permissions prompts, routine reinforcement is unnecessary and excessive, and it desensitizes us to essential security warnings. Plus, computers should save us from repetitive work, not create more. We can hope that the public outcry will cause Apple to rethink this problematic path, but additional direct user complaints will also help. If you're using the public beta of Sequoia, use [12]Feedback Assistant to file a bug against these dialogs. Those who aren't testing the beta can try using Apple's [13]Feedback page, perhaps for the Mac you plan to upgrade. References Visible links 1. https://cleanshot.com/ 2. https://support.apple.com/guide/applestyleguide/c-apsgb744e4a3/1.0/web/1.0 3. https://9to5mac.com/2024/08/06/macos-sequoia-screen-recording-privacy-prompt/ 4. https://mjtsai.com/blog/2024/08/08/sequoia-screen-recording-prompts-and-the-persistent-content-capture-entitlement/ 5. https://daringfireball.net/2024/08/the_mac_is_a_power_tool 6. https://pxlnv.com/blog/permissions-pollution/ 7. https://tidbits.com/2018/09/10/mojaves-new-security-and-privacy-protections-face-usability-challenges/ 8. https://www.malwarebytes.com/blog/news/2017/05/handbrake-hacked-to-drop-new-variant-of-proton-malware 9. https://tidbits.com/2024/06/05/bartender-developer-explains-and-apologizes-for-quiet-acquisition/ 10. https://blog.codinghorror.com/windows-vista-security-through-endless-warning-dialogs/ 11. https://support.apple.com/en-ie/guide/security/sec9479035f1/web 12. https://feedbackassistant.apple.com/ 13. https://www.apple.com/feedback/ Hidden links: 14. https://tidbits.com/wp/../uploads/2024/08/CleanShot-X-one-dialog.png 15. https://tidbits.com/wp/../uploads/2024/08/CleanShot-X-two-dialogs.png .