Zoom is reinstalling itself after a minute of being uninstalled [video]

I couldn't reproduce it (Mac, Mojave 10.14.5). I did this:

1. Ensure Zoom client is not running (the GUI, not the ZoomOpener)

2. Completely delete Zoom client app from /Applications, empty trash

(ZoomOpener continues to run from ~/.zoomus/, not just from memory, it is never deleted)

3. Wait 5 minutes

However, if you click on any Zoom link after you've done those three steps, it will absolutely re-install that client app into /Applications AND launch it into that video room. I confirmed that.

I still feel this is a violation of my trust and I'm uninstalling this app entirely and won't use Zoom again.

Also, if Apple actually cared about the Mac and privacy like they say they do, they would temporarily revoke Zoom's app signing key until they cut this shit out.

They need to leave them with their key so they can issue an update.

Why? The company blog post is pretty clear that they don't see any of the security issues to be a problem.

I am not a big Zoom fan but everyone else but me at work has issues with Zoom. One vendor we do calls with sometimes gets the web version instead of the desktop version any time he joins a Zoom call.

My biggest pet peeve was Ciscos version. I had to install: a browser plugin, which wasnt used, then a desktop app, then a follow up desktop app to support voice and audio. What the actual heck is Cisco smoking!? I was shocked. I cannot believe the sheer incompetency and what saddens me is they probably advertise Webex as a solution but it is such garbage on a Mac. I dare not ask what its like on Windows or Linux (ha!). I hate to say it but Webex might benefit from becoming an Electron app.

Most likely the video creator has a webpage open, waiting to send a request to the zoom localhost webserver after 90 seconds triggering the install.

Webex and Zoom are absolutely not the same product, they are competitive offerings from different companies.

> so they can issue an update.

Revoking the key and making its restoration conditional on issuing a security patch would be a way to make sure an update does happen. I'm not a fan Apple's approach to software signing, but this is a good opportunity to showcase some of the benefits that their system does legitimately have.

They'd be stepping in on behalf of users and saying, "Sure you can issue updates. After you fix the security hole."

Right now, Zoom is gambling that they don't need to care about security from a business point of view. Apple can change the situation so they do.

> My biggest pet peeve was Ciscos version.

I mentioned this, I just went off on a tangeant cause it amazes me how broken some of these pieces of software are, it's a problem we solved a long time ago (audio and video conferencing) and it seems only Electron based apps have been getting it right lately for whatever reason.

You sure you want that last sentence? If that were happening, we would all be commenting on here about how Apple decides who succeeds and who fails by threatening to revoke companies' keys on a whim.

If Zoom has a web-based client, I haven't seen it. I know that WebEx has a web-only client. I thought you had them like, really confused, y'know?

Turns out there is a Zoom Web Client though and I'm all wet.

All good, but yeah, I didn't know either, sounds like it is yet another one of those "works best in Chrome" clients, I usually use Firefox, and it probably tries to open Zoom. Maybe sometimes people click "open in browser" instead or something? Not sure...

What's worse is WebEx is supposed to be web only supposedly, but I installed 3 things to use it... Totally not HTML5 friendly at all...

For anybody interested in the Zoom web client:

https://support.zoom.us/hc/en-us/articles/214629443

Apple did that when Facebook was abusing enterprise signed apps and nobody threw shade at Apple. There's a time and place for that, and this is it.

Now, if Apple revoked their cert because they didn't like Zooms view on <some political issue> then I'd be ranting and raving with the rest of HN.

Yes, I do. And in no way is revocation in this instance a “whim.”

Their web client is actually doing something quite interesting. Instead of using webRTC, they load a webassembly video codec. They then encode frames in a webworker and transport them via websockets over their servers.

Why not? The software is effectively working as malware. I should be revoked. And when they approve it again, they should issue a new certificate, to make sure the old software never gets past GateKeeper again.

This is the point of sandboxing apps in the Mac App Store, and (to my understanding) providing simple and complete uninstallation. Mac users that care about issues like this (and I'm not saying they shouldn't) can avoid them by choosing to only install apps from the App Store.

Revoking signing keys on the Mac is pretty extreme considering that Zoom is creator of the software — and that is what the key is meant to prove / enforce. I think that sets a very bad precedent.

The fact that Zoom is distributed outside of the App Store should at least raise eyebrows for Mac users. At this point, I tend to ask what specific functionality is required by an app, such that it wouldn't be allowed in the Mac App Store — especially for free client software (there can be perfectly valid reasons for this, such as previous versions of BBEdit).

Understood. I would hope that they spell out the terms of when a key revocation would happen if they were to revoke keys.

Ok thanks for the example. I hadn't heard of that, so I just briefly read about it. It looked like there were clear terms about the Enterprise apps: that it was for internal, employee use. Facebook was distributing it to non employees. I imagine that is why there was little shade thrown.