
How the Zoom macOS installer does its job without you clicking ‘install’ - _Microft
https://twitter.com/c1truz_/status/1244737672930824193
======
pottertheotter
I installed Zoom on macOS yesterday and I thought that the install was
crashing because this is not the expected behavior. I would double click the
download, try to install, and then the installation program would "crash", so
I'd try it again. Did that a few times before I realized it was installed.
Until now I thought it had somehow gotten far enough in the installation
process before crashing that I could at least use the application. I'd been
hearing everyone raving about how Zoom was such better software than anything
else, and my first experience was their installer doesn't even work.

This was a horrible user experience for me, and I wasn't thinking about
security implications at all.

~~~
yreg
I too don't get how Zoom is considered "the superior software". Maybe the
calls don't drop, but the experience is bad (at least on macOS).

~~~
7ewis
Said this on Reddit the other day and got downvoted.

It _is_ bad on macOS. It used to be one of the better platforms to stream
video content to others, but now it just lacks in many areas compared to most
of its competitors.

The worst bug I had was it essentially started muting random people on a call,
but only for me. I could see their mouth moving, and thought it was a problem
their side but turns out everyone else could hear them apart from me. I could
hear everyone else too apart from them.

------
tambourine_man
Zoom's got a tradition of being, let's put it like this, way too clever for
everyone's own good.

See previous “lets install a server on this Mac that is not removed when you
uninstall the app and leaves your camera open to the entire internet” for more
examples.

I use it on a VM, I suggest you do it too.

~~~
elevenoh
Best zoom alternative?

~~~
luto
Jitsi, Google Meet, bigbluebutton -- anything can runs in a browser tab and is
more or less confined within it.

~~~
adtac
I wouldn't be surprised if Zoom suddenly started exploiting browser zero days
to force install things "for your own good"

~~~
saagarjha
Good thing that this is somewhat difficult to do ;)

------
manigandham
1) If Zoom can do this then it's a MacOS security bug.

2) UX matters. Users don't care about the technical details, they want a
smooth experience and that can be the difference between a billion-dollar
business or a failed startup. And yes the desktop version is more stable than
the web-based UI.

3) Malware is defined by what it does, not how it's installed.

~~~
Gaelan
I mean, it's not really a security bug. Installer.app displays a dialog box
that says "Hey, this package wants to run arbitrary code to check if it's
compatible with your system. Is that OK?" The user is explicitly opting into
the code execution. Zoom's "compatibility check" installs the app and kills
the installer window. That's certainly unexpected behavior, but I don't think
it's an exploit in any real sense.

While normally I'd object to running arbitrary code with just an easily-
skippable dialog as confirmation, but I think it's OK in this case where the
expectation was that we're installing their software anyway.

~~~
etaioinshrdlu
It's really Apple's fault. "This package will run a program to determine if
the software can be installed." Is just fundamentally a very strange statement
to make, loaded with vagueness.

Think about your average user... they are running an installer program...
which alerts them that they need to run another program... to determine if
they can install the program.... (Which the user thought they were already
doing)

The loaded expectation of the user to realize they are granting privileges to
a program to determine whether they can install a program is just totally
unreasonable.

It just sounds more and more ridiculous written out like this.

~~~
Smoosh
On top of this, a standard install asks for permissions, but doesn't disclose
who/what is asking for it (certified in some way) or what permissions it
wants, if these are temporary for the install or permanent for the
application, or what it is going to do during the install (what goes where,
what gets changed etc).

It is long past time for Apple to improve this process.

------
lultimouomo
I think this also shows how macOS has been training users to enter their
password in random dialogs that have absolutely nothing that identifies them
as being legit OS dialogs. The dialog that Zoom uses could very well be
sending the credentials to a remote server, and the user would be none the
wiser.

~~~
Wowfunhappy
Note that in this case, it's still a legit OS dialog. Preflight scripts are
very much built into the macOS pkg format, they're just not intended to be
used like this.

~~~
danieldk
I never understood why Apple still supports the pkg format. It seems a half-
baked leftover from the 2000s and even then I was already surprised that there
is no way to uninstall things through the macOS GUI. I am not sure if this has
changed (I try to avoid pkg files and use Homebrew cask to uninstall such
packages), but IIRC you had to list the files with _pkgutil_ on the command-
line, remove stuff by hand and then _\--forget_ the package.

They should just kill the format. Everything should just be drag to install,
drag to trash to remove.

~~~
javagram
In my experience I’ve seen even technical users (Who were used to windows)
struggle with the idea of dragging an .app from an open disk image to the
Applications folder. They would end up running the app from the disk image and
then getting confused when it disappears after restart.

~~~
Wowfunhappy
This system worked so much better when the Applications folder was placed in
the Dock by default, and everyone used that folder launch applications (which
weren't common enough to keep in the Dock directly).

It was actually a really beautiful synergy—you install applications by copying
them to a folder, and launch them from that folder. Same way you'd acquire and
open files. Lovely.

Then Apple ruined it in Lion with Launchpad. Their app install flow for
anything outside of the app store doesn't make any sense.

~~~
Smoosh
In even earlier days, applications didn't need to be installed at all. You
just ran them from wherever they were _. Of course, it made sense to store
them somewhere together, and you could cause yourself problems if you put
applications onto disks you then ejected_ _. But the current system is clearly
influenced by the UNIX underpinnings, and I 'm not sure that the average user
fully "gets it".

_ though preferences files were a bit of a mess.

 __I vaguely remember if early Macintosh System versions you would be prompted
to insert the disk (with the correct disk name in the message) if you tried to
open a file belonging to an application which was on an ejected disk.

~~~
int_19h
You can still run them from wherever they are. The problem is that users do
that once, exit, and then later forget where the app was.

~~~
saagarjha
There are issues when running from the downloads folder (translocation).

------
aequitas
Not that I'm in favor of this practice, but the one key feature that
conference software must have is: it just works™.

Nothing turns you off more from a conferencing solution than: any problem
getting it working right now.

When there is just the slightest issue, one person not being able to join, one
person not getting voice to work, bad audio, your entire team is
blocked/distracted. Which results in a collective distain for the solution and
video conferencing as a whole.

This extends to getting the solution working for greenfield installs as simple
as possible. Because who knows which non-tech users from which department all
need to join and can't figure out how to set the permission in their browser
right or install/use the other browser that is compatible.

So sadly, from a functionality point of view, you want have the software be
able to force itself onto the user in the most usable state it can.

~~~
t0mas88
I'm still curious why everyone thinks Zoom "just works" while others don't.
Because in an enterprise context it is often hard to download an executable
and run it with sufficient permissions. While Google and Microsoft both offer
a product that "just works" with only a browser. What makes Zoom more "just
works" than that?

~~~
impendia
I'm a college professor, and I'll share my perspective.

For one, Zoom _did_ just work. (At least as a participant, rather than an
organizer.) I tried it out, and it immediately worked. It did what all of us
were expecting, with no fuss.

I also tried MS Teams. It seems designed with a different philosophy: that you
use the software to do many different things, and you want them all
integrated. (For example, it posted my meetings automatically to my Outlook
calendar. I had never used this calendar before, and was only dimly aware that
it existed.)

Moreover, it seems that the expected setup is a bunch of people, all at the
same workplace, who communicate with each other consistently. My needs are
different, with wildly disparate use cases: a departmental meeting; classes to
teach; an online conference
([https://www.daniellitt.com/agonize/);](https://www.daniellitt.com/agonize/\);)
an online social gathering. Many of the people with whom I communicate don't
work for the same employer. And I don't want to configure all of these "teams"
in advance.

That said, I tried to get MS Teams up and running, to teach my class. This
involved multiple emails back and forth to our tech support (it seems that I
can't set up a "team" myself; I have to ask IT to do it for me). It didn't
have its own whiteboard functionality so I had to download and run some
separate software.

And, then, in the end... it didn't work. I was trying to teach a class, but my
students couldn't see what I was doing. I had no idea why.

~~~
gentleman11
Zoom doesn’t just work. If the students want privacy, they are just helpless.

Edit: downvoted for speaking up for student rights. Sorry if it is
inconvenient for the teachers

~~~
impendia
> If the students want privacy, they are just helpless.

This isn't true actually. As a student, send the following email:

"Hi Professor, I just read this webpage [link], which outlines some privacy
concerns with Zoom. I know some other classes are running Software X, could we
try that instead?"

My university isn't _mandating_ Zoom. Indeed, they recommended several
software packages, of which their top recommendation was Blackboard. (Which is
what I've been using so far. I have mostly joined others' Zoom meetings; I've
only initiated them for a D+D game I'm participating in.) MS Teams was their
second recommendation as I recall, and Zoom was below that.

At least at my university -- and I expect that this is typical -- individual
faculty members are deciding how to best fulfill their own responsibilities.
And I have emphasized to my students that I have never done this before, and
that I'm happy to change what I'm doing if people have good suggestions.

~~~
saagarjha
> "Hi Professor, I just read this webpage [link], which outlines some privacy
> concerns with Zoom. I know some other classes are running Software X, could
> we try that instead?"

Hi [Student],

I appreciate your concern; however, our university has conducted a thorough
audit of this software and found that it satisfies our needs. We will continue
using it for our lectures.

Regards, Dr. [Professor]

Senior tenured chair of [Department], distinguished lecturer, [University]

------
jeroenhd
As someone who's never used or seen Zoom in action, what's pulling people into
Zoom that's not already available in other tools (Hangouts Meet, MS Teams) and
even works without installing anything (such as Jitsi)?

Based on what I've seen, there's just so much hostile behaviour by the company
(including lying about meeting HIPAA e2e requirements!) and the fact that
their _official client_ had parts removed by the macOS malware removal tool
that I just don't get why people still consider it as an option. If it were
the only "just works" tool out there I'd understand, but there's plenty of
competition in this space.

I've personally began using the Jitsi server the local student network
association has set up and it's been working like a dream. You can even share
a window to others (which I didn't even know browsers had support for) for
presentations and such.

~~~
aeyes
I use Zoom, Hangouts, Slack and WebEx. Out of those Zoom has the best call
quality, and it is the only solution out of the 4 on which huge meetings (50+
persons) are workable.

~~~
benhurmarcel
I've been in Google Meet meetings with 100 to 150 participants, it worked
fine.

~~~
rootusrootus
Was just on a Zoom call with 656 participants, it it was remarkably better
than any other solutions we've tried in the past.

------
realityking
I really wish they'd make the client available in the Mac App Store. Not only
is the installation experience better than this, things also stay nicely up-
to-date. If your company runs an MDM for your Macs, it's easy to deploy apps
en-mass to everyone.

~~~
saagarjha
But then they'd need to opt-in to sandboxing and other "onerous" requirements
and couldn't pull shady things like this.

~~~
ThePowerOfFuet
Nailed it.

------
factorialboy
Why isn't this categorized a major Mac OS vulnerability? If Zoom abuses
preinstall scripts, what's to say others aren't.

~~~
lonelappde
It's not a vulnerability, as the dialog says "run a program" and prompts for
confirmation.

It's up to the user's imagination to consider what a program can do.

The prompt is terribly worded though.

~~~
ddebernardy
It seems macOS could use virtualization or permissions to run these scripts in
some throw away environment to get rid of the problem altogether. Preflight
check programs shouldn't be able to write anything to disk.

------
paulgpetty
Two questions this raises, for me at least:

How do I know I’ve completely uninstalled all the things Zoom installed?

And, if Zoom provided a separate uninstaller (like many apps do) and it was
verified to purge all of the stuff they installed (along with the
uninstaller); would that appease people's concerns?

For now I’m sticking with the iOS app for video & their web-based experience
for desktop sharing...

~~~
Hackbraten
If you have Homebrew installed, you can run `brew cask zap zoomus` to get rid
of all the things (as far as we know) Zoom has installed.

If you prefer to remove it manually, here’s the list of files and folders
Homebrew will delete on `brew cask zap zoomus`:

[https://github.com/Homebrew/homebrew-
cask/blob/a6026e0a36c22...](https://github.com/Homebrew/homebrew-
cask/blob/a6026e0a36c22eb4615df96598682f7ae931ebe3/Casks/zoomus.rb#L24-L43)

~~~
saagarjha
Your list seems to be missing a couple of files that the Zoom uninstaller
cleans up.

~~~
Hackbraten
That's deliberate. Homebrew always runs the Zoom uninstaller first before
going through the list.

Running the uninstaller is enforced by the `pkg` declaration. See also:
[https://github.com/Homebrew/homebrew-
cask/blob/a6026e0a36c22...](https://github.com/Homebrew/homebrew-
cask/blob/a6026e0a36c22eb4615df96598682f7ae931ebe3/Casks/zoomus.rb#L13)

------
eyegor
Can someone explain to me what the problem is? If you run the installer, isn't
that consent to install the software? That's the whole point of it. I guess
this isn't the "Mac way" but this is exactly how I would write an install
script if I was slapping together support for other platforms. In fact this is
the same way most installers work: it unzips an archive somewhere, then
creates the links for remove/launch/etc.

What is the typical install process for software on a Mac?

~~~
notriddle
Zoom is using a hook in the macOS installer framework in a way that is not
intended.

This is forming a troubling pattern [1]. Zoom will do _anything_ to reduce the
number of clicks to start a conference, even if results in a misleading
installer prompt or security vulnerability.

[1]: [https://www.zdnet.com/article/zoom-defends-use-of-local-
web-...](https://www.zdnet.com/article/zoom-defends-use-of-local-web-server-
on-macs-after-security-report/)

~~~
whateveracct
Many PMs are obsessed with click optimization. I've been told many times that
a certain feature of security method is no-go due to it being "too many
clicks" full-stop -.-

------
t0mas88
The whole torrent of grey area, just over the line and outright shady behavior
at Zoom is a problem in itself even if all the separate instances in isolation
aren't grounds to stop using them. Their responses to security issues and
today's revelation of misleading marketing on E2E encryption make it clear
they're not just making isolated mistakes. Shady is at the core of how they
operate, this is an indication that Zoom has a company culture of accepting
borderline behavior. Otherwise it wouldn't be so widespread.

As a customer this is a reason for me to stop using Zoom. Not in the last
place because I'm quite sure we're only seeing the public tip of the iceberg
of all the unacceptable things happening within Zoom.

~~~
capableweb
Unfortunately, the current system and people in power seems to not give a damn
about security and shady behavior, as long as the thing they are using is
working and working well. Zoom is an example of very useful and performant
software with shady company behind it, that's why people will continue using
it.

Same with Uber, Google and bunch of other companies. It doesn't matter what
they do, as their product is helping people enough for people to look past the
terrible things.

~~~
Fiahil
Enterprise customer DO give a damn about security. They can be slow to react,
but rules are also there for a very long time. If Zoom doesn't want to loose
most of their marketshare in favor of WebEx, they should probably address
these issues.

~~~
krageon
> Enterprise customer DO give a damn about security

You are wrong. Even without extensive experience in the space, you can very
easily see how even _large_ companies don't secure themselves at all. The US
has had equifax recently, and it's not like that was an isolated example
either. There just isn't a security culture at the eye-watering heights of
corporate upper management and while everyone's as busy making money as they
are, there never will be. It doesn't fit into the system, and anyone who tries
to change it gets muscled out by people who don't want it to change - because
that is simply what's most efficient.

~~~
mywittyname
This has been my experience as well. Large companies pay lip-service to
security that protects their customers; they want just enough for legal
deniability in the event of a breach, but not so much that it impacts
operations or profits.

However, they can be...enthusiastic when it comes to security around
protecting themselves. If you report an issue with customer information on a
public S3 bucket, they might get around to fixing it someday, but if there are
"trade secrets" or the like in that bucket, the issue is going to get fixed
immediately and someone with a big title probably won't be coming in tomorrow.

------
fermienrico
Also, Zoom's entire engineering team is based in China [1]. China and Chinese
companies have no real culture of user centric privacy.

[1]
[https://news.ycombinator.com/item?id=22707528](https://news.ycombinator.com/item?id=22707528)

Edit: Why downvote me? I am not trying to stir up flame wars. Saying anything
against China has become impossible to do on HN. Voices get drowned despite of
raising _real_ legitimate concerns about privacy, especially for a tool used
by millions all of a sudden during this pandemic. People should be speaking up
on HN. I know, I am not supposed to complain about downvotes on HN, I've read
the guidelines.

Edit2: Not able to find the source for Tianjin datacenter, I will reply if I
can find it. Please take it with a grain of salt.

Edit3: Holyshit, so much attention on my comment. Redacting unsubstantiated
claims and adding more sources that can be traced on the wikipedia section of
Zoom privacy criticisms:
[https://en.wikipedia.org/wiki/Zoom_Video_Communications#Crit...](https://en.wikipedia.org/wiki/Zoom_Video_Communications#Criticism)

~~~
dang
Please don't break the site guidelines [1] by going on about downvoting. Your
comment has been heavily upvoted. Meanwhile complaints like that linger on as
off-topic and false, and don't garbage-collect themselves.

You can use HN Search to verify that HN sees plenty of comments "saying
anything against China". The topic is extremely flame-prone because people are
wont to hurl generalizations at each other, and worse. Nationalistic flamebait
and flamewar is a big problem on HN [2] and destructive of the spirit of this
site [1]. Individuals have been attacked here for just for expressing their
views while being (or being assumed to be) Chinese, and at least one person
was hounded off the site altogether. I'm sure you'll agree that that's
shocking and not at all the community we want to be. None of us wants it, but
it's easy to get it anyway, once such flames get going.

I don't think your comment was nationalistic flamebait, except insofar as it
was rather unsubstantive. Unsubstantive comments on inflammatory topics are
guaranteed to come across in a flamey way to some segment of the readership,
even when that wasn't your intent. Intent doesn't communicate itself,
unfortunately, so the burden is on the commenter to disambiguate [4].

[1]
[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

[2]
[https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...](https://hn.algolia.com/?dateRange=all&page=0&prefix=true&query=by%3Adang%20nationalistic&sort=byDate&type=comment)

[3]
[https://news.ycombinator.com/item?id=21200971](https://news.ycombinator.com/item?id=21200971)

[https://news.ycombinator.com/item?id=21195898](https://news.ycombinator.com/item?id=21195898)

[https://news.ycombinator.com/item?id=19404162](https://news.ycombinator.com/item?id=19404162)

[https://news.ycombinator.com/item?id=22608635](https://news.ycombinator.com/item?id=22608635)

[4]
[https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...](https://hn.algolia.com/?dateRange=all&page=0&prefix=false&query=by%3Adang%20burden%20disambiguate&sort=byDate&type=comment)

~~~
fermienrico
Understood, thanks and accept my apologies. I have some feedback - please make
exceptions when discussing fact based discussions around privacy when it is
not tending towards flame wars, especially related to Chinese influence and
erosion of privacy. I can see why this can lead to flame wars but that's where
you should step in and moderate. I just read your links to people getting
harrased if they are Chinese, that's not cool.

~~~
dang
I think my comment addresses this, but perhaps you were replying to an earlier
version, or perhaps I wasn't clear enough. What you posted _was_ trending
towards flamewar, even though you didn't intend it that way. Telling
moderators to "step in and moderate" isn't sufficient to solve this problem.
For one thing, we don't come close to seeing all the material that gets
posted—there's far too much. We do step in, but we also need users like you to
understand the problem a bit differently. If you're going to comment on an
inflammatory topic, you need to make sure your comment is substantive, i.e.
contains solid information and not just grand claims. And you should be
careful to narrow its scope explicitly to what the information supports.
Fortunately that should also be enough to make it clear that your intent isn't
just to post pejoratives about other people.

------
jopolous
On a simpler level, zoom on macOS sketches me out in lots of ways.

My macbook's bluetooth will not connect to my earbuds, but only when zoom is
running. Other audio recording/playing apps don't affect things at all. What
the heck is going on here?!

Scrolling on settings panels is definitely their own home-brewed scrolling
functionality. Why?! Was macOS's not cutting it for some reason?

The settings menu is very clearly not using native OS buttons and inputs.
Why?! Why build your own? What is that for?

~~~
jcelerier
> My macbook's bluetooth will not connect to my earbuds, but only when zoom is
> running.

that sounds like something related to this bug :
[https://www.jeffgeerling.com/blog/2018/airpods-get-stuck-
low...](https://www.jeffgeerling.com/blog/2018/airpods-get-stuck-low-
quality-16-khz-audio-mode-when-starting-vm)

~~~
jopolous
Nice, that's pretty much what I had to do to fix this. I used the bluetooth
explorer to force AAC, and force zoom to use the internal MacBook mic

------
rgovostes
I installed the WebEx client for macOS today and it seemed similar, installing
almost instantly without going through the normal EULA, volume selection, etc.
flow.

It seems like they've stuck their installation flow into an Installer.app
_plugin_ which is unusual. I haven't encountered that before, and I'm somewhat
surprised the feature exists considering Apple waged war on loading code into
first-party software. (The user is prompted before the plugin loads.)

~~~
mrpippy
Ughhh, this is probably where Zoom got the idea from.

~~~
cpeterso
Zoom was founded by Eric Yuan, a lead engineer from Cisco's WebEx business
unit.

------
danans
For those calling this a security vulnerability in MacOS, isn't this just
using a GUI equivalent of "sudo"? There may be a decent argument that a
consumer OS shouldn't offer such a sudo-like API to installers, but MacOS
probably does this for legacy app support reasons.

IMO the better question in this case is why Zoom needs to be installed as
admin on MacOS? After all, the mobile apps and chrome extension don't need
those privileges.

~~~
saagarjha
This is like the GUI equivalent of running "apt install zoom" and the
installation script killing the APT process and then running amok with its
root privileges.

~~~
danans
> This is like the GUI equivalent of running "apt install zoom" and the
> installation script killing the APT process and then running amok with its
> root privileges.

So in that case it seems like there is perhaps an issue on both sides.

\- I understand that the OS API to get root/admin privileges likely exists for
legacy app install reasons, but why should any install script even be able to
run amok with admin privileges? Shouldn't privileges granted by this API this
is using be sandboxed in the extreme? Something this sensitive shouldn't be
left to the honor system of the app developer.

\- Independently, I still don't understand why Zoom needs admin privs on Mac
when it clearly doesn't need them when installed as a browser extension. I'm
using it just fine in Chrome all the time - no admin rights needed.

------
e40
I can't imagine why anyone logs in and uses macOS as an admin user.

First account I create on a new Mac: admin. Then, when setup is done, I login
and create my non-admin user account.

This is a good reason for many reasons, this abusive installer being one.

------
clay_the_ripper
To me this implies that the installation process on Mac OS should be improved.
The fact that they have to resort to these types of things to make it “just
work” for people suggests that the official way of doing things is less than
ideal.

They are aiming to make the process completely idiot proof, and good for them.
If you’ve ever watched a nontechnical user try to install an application
you’ll understand why they had to do all this.

I recently watched One of my friends who has only ever used an iPad and not a
laptop try to install an application downloaded from the internet. Things we
take for granted like “find your downloads folder” were not obvious. I had to
explain what the Finder is, and it seemed laughably not obvious to someone who
has never used it before.

------
overgard
I understand wanting to reduce friction, but this is the second time Zoom has
kinda done something weird and suspect security wise in the name of removing
really minor obstacles that users are probably used to dealing with anyway.
Considering how many tech companies are using Zoom right now, I would hope
they are cognizant that they don't become known as "the company that does
sketchy stuff so our IT people say we can't use it"

------
j1elo
Some background info for those commenters who say that Zoom should be
requiring just a web browser because web browsers already have everything
needed (aka. WebRTC). TL;DR summary: they want to do their own thing, outside
of what the WebRTC standard allows, that's all (and enough reason for not
using WebRTC?)

Zoom doesn't want to use the stock H.264 encoder as provided by the browser
for WebRTC communication. Instead, they use their own video encoders and
decoders (which while still being H.264, it is presumedly better optimized for
their use case). WebRTC forces you to use either the H.264 or the VP8
encoder/decoder that the browser provides.

How they do this is by having their own custom application that you have to
install. Still, some users have noticed that there is a well hidden web-based
version of Zoom, which works by again running their custom encoders, thanks to
WebAssembly. Also it seems that their video is transmitted via DataCahnnels
[0].

They are not alone. Companies want to provide additional "value" by innovating
outside of what the WebRTC standard offers. That's nice and all, although it
of course tends to disgregation and incompatibilities in the long run. For
this reason, I've heard talks about how future revisions of the standard might
explore adding WebAssembly support, in order to allow everyone embedding their
own compiled components into their applications [1].

[0]: [https://webrtchacks.com/zoom-avoids-using-
webrtc/](https://webrtchacks.com/zoom-avoids-using-webrtc/)

[1]: [https://webrtcbydralex.com/index.php/2019/11/13/webrtc-
stand...](https://webrtcbydralex.com/index.php/2019/11/13/webrtc-standard-
status-update-q3-2019/)

~~~
xorcist
Right. It's also important to understand when the reason to build non-standard
things are just "productization" (intended to open the wallets of enterprise
clients) and when it is because it really provides a better service to the end
user.

Having native code running in every client makes a service provider more
valuable. It is much the same reason service providers would rather have you
running their app on mobile than utilizing the web browser.

This link provides a bit of background to the webrtchack articles above and
give a bit of background to when WebRTC is sufficient:

[https://bloggeek.me/webrtc-vs-zoom-video-
quality/](https://bloggeek.me/webrtc-vs-zoom-video-quality/)

------
teknologist
Instead of installing the Zoom software, join Zoom calls from within your web
browser

With this trick you can join Zoom calls without ever installing the client on
your computer.

Here's how to do it:

1) Uninstall the Zoom client if you have it installed (this is important).

2) When you get a Zoom link to join a meeting, click it to open it in your
browser.

3) You'll be asked to download Zoom. Click the "download & run Zoom" link, but
don't run the installer.

4) Wait for a few moments and a link to "join from your browser" will appear.
Click this and join the call as normal. Most of the features work in this
browser based version -- there is no need to ever risk your computer!

Here's a gif demoing what to click: [https://assets.zoom.us/images/en-
us/web/client/join-web-clie...](https://assets.zoom.us/images/en-
us/web/client/join-web-client.gif)

------
wodenokoto
Having never installed Zoom, and honestly not having photographic memory of
how the installation process on MacOS is, how is it supposed to look in the
installer?

Also, what happened to just dragging the program into the applications folder?
I really liked that way of installing apps, but most things seems to have an
annoying click-through wizard.

~~~
jtvjan
They embedded their installation into a pre-install script. Normally, you'd go
through a next-next-next process with a pkg installer, but in this case you
get a popup asking you if you want to allow it to "run a program to determine
if the software can be installed" (the purpose of pre-install scripts)
immediately after opening the pkg, you authenticate, and then the installer
just disappears.

~~~
giovannibajo1
Before that, when they had the shady web server, the zoom application would
pop up immediately connected to the right meaning, as your browser would be
“waking it up” via http. It looks like they still haven’t fixed this after
they removed the http server.

------
int_19h
That Twitter thread has a link to a more detailed analysis that was done all
the way back in 2016:

[https://macpkghallofshame.tumblr.com/post/138612887932/indis...](https://macpkghallofshame.tumblr.com/post/138612887932/indistinguishable-
from-malware)

------
staz
[https://www.theverge.com/2019/7/8/20687014/zoom-security-
fla...](https://www.theverge.com/2019/7/8/20687014/zoom-security-flaw-video-
conference-websites-hijack-mac-cameras)

------
Razengan
If I search my bookmarks for "zoom" every link is about a discovery of it
doing some shady shit. At this point I would just classify it as spyware.

------
scelerat
I have a friend who has some intimate knowledge of MacOS installation software
who refuses to use Zoom. "It's not merely because it uses the same install
patterns as Russian malware," this person told me, "no; it's personal."

Seriously, despite this person's aversion to anything Google, Hangouts ends up
being the one tolerable exception.

------
miguelmota
What I like about zoom is that I can click on a zoom link and it opens up my
video conference pretty quickly. Last thing I want is to go through
installation steps when people are waiting for me on a call. I understand the
security implications but it's a trade-off between user experience and lesser
security.

~~~
mr_toad
People will go through the hassle of booking airline tickets, hotels, taxis
and take the time to travel to face to face meetings (and some of them even
seem to enjoy it).

But they won’t spend 5 minutes installing software properly, or half an hour
doing some legwork.

~~~
miguelmota
The difference is that it's expected that booking airlines and hotels will
take time so they make time for it but nobody expects to spend minutes
installing video conferencing software properly.

They expect meeting chat software to just work and be as easy as opening a
link. If a person needs to fly somewhere they have limited choices with
airlines, but if a person gets frustrated with video conferencing software
then they have an abundance of alternative options.

------
emilecantin
I have this irrational disgust of .pkg installs, and this is is a good example
why. Every time I have to install a .pkg, I wonder what crap it's spreading
all around my system.

What's wrong with dragging .apps? Does your app really need to spread its
tentacles beyond an app bundle and (maybe) some preference files?

------
gentleman11
> Zoom has been criticized for its data collection practices,[45] which
> include its collection and storage of "the content contained in cloud
> recordings, and instant messages, files, whiteboards" as well as its
> enabling employers to monitor workers remotely;[46][47] the Electronic
> Frontier Foundation warned that administrators can join any call at any time
> "without in-the-moment consent or warning for the attendees of the
> call."[48] The Ministry of Defence of the U.K. banned its use.[49][50]
> During signup for a Zoom free account, Zoom requires users to permit it to
> identify users with their personal information on Google and also offers to
> permanently delete their Google contacts.

Widespread use of Zoom for online education during the novel coronavirus
pandemic increased concerns regarding students' data privacy and, in
particular, their personally identifiable information.[17] According to the
FBI, students’ IP addresses, browsing history, academic progress, and
biometric data may be at risk during the use of similar online learning
services.[17] Privacy experts are also concerned that the use of Zoom by
schools and universities may raise issues regarding unauthorized surveillance
of students and possible violations of students’ rights under the Family
Educational Rights and Privacy Act (FERPA)

\- Wikipedia

------
diebir
A lot of this is Mac OS X fault: it still does not have an easy canonical way
of installing things and has no way for uninstalling. I don't get why in this
day mac os can't have something like RPM or any number of other package
managers.

~~~
saagarjha
It very much does! Zoom even stumbled upon it, it's called Installer.app.
Except, of course, they killed it before it even finished…

------
RocketSyntax
Okay, great. Let's wrap some permissions around it to make this a legit
process?

------
merpnderp
I wish I knew how it installed on my partner's Mac. No root password was ever
given, yet it installed when we thought we were still using the web app.
Quickly uninstalled and will use different software next time.

------
AngeloAnolin
I removed Zoom from my Mac following this instruction [0]

Given their security issues as of late, is there further way I could ensure
that my machine has completely removed this software?

[0]

------
fouc
Are there other app installers that do this? I've got a feeling Zoom is
definitely not the only one that does that.

------
musicale
Zoom's malware-like behavior is the reason I only use their web app, in a
browser with minimal privileges.

------
Kaze404
Discord also does this On Windows at least) and I don't understand how / why
it's allowed.

------
josteink
Root-kit authors: watch and learn!

------
dbbk
But why are they doing this? What is the benefit?

~~~
dceddia
If I had to guess, it’s an attempt to optimize install conversions. Every
multi-step process you ask a user to perform is effectively a
(marketing/sales) funnel. Some percentage of people drop off at every step.
Maybe Zoom they thought that if they moved the actual installation closer to
Step 1, then more people would accomplish it. It’s awfully sneaky though,
especially that password dialog.

~~~
drewg123
They could have also made it just work in a web browser without having to use
workarounds. That's one of the reasons why I strongly prefer Google Meet and
get annoyed at vendors that want me to use solutions that require me to
install software.

~~~
dbbk
Conversely, I much prefer a desktop app to Google Meet, since that's stuck in
the browser the video can't float PIP when you navigate away from the call

~~~
saagarjha
It can if it uses the right web APIs, which are widely supported:
[https://w3c.github.io/picture-in-picture/](https://w3c.github.io/picture-in-
picture/)

~~~
dbbk
Yes but... it doesn't.

------
neycoda
Why does Apple allow this?

------
0xff00ffee
One suggestion...

My company has been using Gotomeeting for 5+ years. No video (thankfully), but
meetings are generally 20-30 people and largely seamless.

It is expensive: $300 per seat to host a meeting, but it pretty much just
works. The UI is annoying and could be simpler.

However, I don't know if it is as shady as Zoom because I don't think anyone
has done a deep dive.

------
proffan
resReitna.7z

Reminds me of tech support XD

------
xenophonf
I missed the part where Zoom is holding people's computers for ransom, or
formatting the drive, or exfiltrating sensitive information to criminals or
state intelligence officers, or mining bitcoin, or other similarly malicious
behaviors.

An admin can write to /Applications without privilege escalation? That's a
macOS bug. If the operating system didn't rely on an 80s-style put-all-the-
executables-in-one-place app launch paradigm, maybe there'd be less incentive
for app developers to ignore the per-user Applications folder that macOS
supports.

An app can spoof or abuse privilege escalation dialogs? That's because macOS
doesn't implement an Orange Book-style Trusted Path. It's why Windows and
similar operating systems have secure attention keys in the first place.

So yeah, Zoom is (ab)using flaws in macOS to get itself installed with minimum
fuss, but it isn't doing it with evil intent. They fixed past issues; they'll
probably fix this. Meanwhile, these long-standing macOS security flaws won't
be addressed by Apple, who has a terrible track record about these things
except when it lets people bypass their App Store.

P.S. As an enterprise customer, I'm much more worried about end-to-end
encryption in Zoom, and the apparent lack thereof. I'm also not sure how that
compares with other video conferencing services.

~~~
rainforest
> So yeah, Zoom is (ab)using flaws in macOS to get itself installed with
> minimum fuss, but it isn't doing it with evil intent.

But... why? What other software vendors look at the OS security model from a
viewpoint of 'how do we bypass this as much as possible?' If it's not evil
intent, what is it, incompetence?

~~~
javagram
It’s about making your software as easy to use as possible.

Users don’t like UAC or having to click through a dozen dialogs. They just
want to get into their virtual meeting.

~~~
my123
Then Zoom should just make them join the meeting via the web browser!

Zoom does this somehow and doesn't make joining from the web frictionless when
they pretty much could have.

