←back to thread

Zoom needs to clean up its privacy act

(blogs.harvard.edu)
1597 points seapunk | 4 comments | 27 Mar 20 14:18 UTC | HN request time: 0.001s | source
Show context
mrpippy ◴[27 Mar 20 20:39 UTC] No.22706650[source]
I just downloaded Zoom for Mac, saw that it was a .pkg file. Great, I can see what files it installs before I install it.

I open the .pkg, click Continue so it can run its script, then a second later Installer quits and the app launches. What?!

Turns out, Zoom installs the entire app in the 'preinstall' script of the installer package! Inside there's a copy of '7z', and the app is extracted with that. The preinstall script is littered with typos and poor grammar.

I'm not one of those people who thinks that Apple is going to force all Mac software to come through the App Store, but when I see stuff this stupid...I start to wonder.

replies(7): >>22707224 #>>22707541 #>>22707597 #>>22707817 #>>22707988 #>>22734686 #>>22752961 #
Wowfunhappy ◴[27 Mar 20 21:50 UTC] No.22707224[source]
While I also dislike this type of thing, remember that Zoom's business is built on getting people into calls as quickly as possible. Seconds matter.

So I can totally understand why they would want to use 7zip to shave kilobytes off the download size.

replies(3): >>22707302 #>>22707333 #>>22764419 #
swiley ◴[27 Mar 20 22:05 UTC] No.22707333[source]
7zip isn’t the complaint, it’s that the installer installs the app before the user OKs it.

Honestly zoom is something that I would never let near a personal computer. What really surprised me is that there’s a “zoomgov.” (a friend at a defense contractor showed me) Either our government is enjoying the benefits of being able to force companies to be audited because of defense budgets or things have become way more relaxed than they should be. Judging by our “stockpiles” and inability to get critical equipment I’m guessing the second one.

replies(2): >>22707411 #>>22707514 #
1. Wowfunhappy ◴[27 Mar 20 22:16 UTC] No.22707411[source]
> 7zip isn’t the complaint, it’s that the installer installs the app before the user OKs it.

...I was about to write a reply saying "well in that case I don't understand what the GP is complaining about", but then I opened up the installer again.

I didn't fully take in what the parent was saying. Zoom is completely short-circuiting the normal macOS package install flow. You click continue once to acknowledge that "this package will run a program to determine if the software can be installed", and then Zoom is suddenly installed and the installer exits.

I can understand why they did it, but it's not good.

Although, Apple deserves some blame here. Firstly because their non-app-store software install flow has been screwed up since the release of Lion, and secondly because why can't you use Installer's "Show Files" option before the preinstall step?

replies(1): >>22707842 #
2. jscholes ◴[27 Mar 20 23:30 UTC] No.22707842[source]
I'm not a MacOS user, but I'm having a really hard time getting my head around this:

1. You download an installer.

2. You activate that installer.

3. Your system tells you that the installer can run some code.

4. You agree to the installer running some code.

5. The installer installs some software, via the code that you said the installer could run.

Seems perfectly acceptable to me. If you literally cannot open up the archive file to inspect its contents without running some code inside it, that's not Zoom's problem. It's just a really stupid decision on the part of Apple.

replies(2): >>22707903 #>>22734894 #
3. Wowfunhappy ◴[27 Mar 20 23:42 UTC] No.22707903[source]
> Your system tells you that the installer can run some code.

The message reads "this package will run a program _to determine if the software can be installed_". Old iWork updates used this to see you had a previous version of iWork on your computer. nVidia's Web Drivers used it to check if your Mac had an nVidia card. No other macOS pkg that I'm aware of makes actual changes made to your system during this step. That's not what the user agreed to.

Behind the consent message is a grayed-out "next" button that you never get to click.

I suppose this system was ripe for abuse, but that doesn't excuse the people who abuse it.

4. xenadu02 ◴[31 Mar 20 04:19 UTC] No.22734894[source]
This is a legacy path in the installer they are abusing.

Pre-install scripts are only supposed to do things like check if you have prerequisites installed, eg if your app requires some version of Python or whatever.

Instead they are abusing that to just install everything immediately.

There is literally no reason for it beyond saving one or two clicks.