Apple’s permissions features are out of balance
In an attempt to protect Mac users from getting themselves into trouble, Apple introduced numerous permissions pop-ups into macOS Catalina. In the years since, the company has accelerated its approach, adding ever more situations where users must grant specific permission. Often multiple times, in multiple places. (It can be magnified by migrating to a new Mac and getting those requests all at once.)
Microsoft has grappled with this same issue in Windows, allowing Apple to roast Windows Vista in an ad that modern Apple people probably regret. And it doubled down at WWDC 2009.
Now comes the news that things may be getting worse, not better. 9to5Mac reports that macOS Sequoia beta has introduced a new prompt that doesn’t allow a user to permanently grant permission, but requires an occasional re-authorization.
It’s part of a general trend for Apple to continue placing barriers in the way of users who are trying to use software on the Mac. As I noted when I covered the Sequoia Public Beta:
Security prompts appear to have been ramped up a bit, much to my chagrin. When I tried to launch an app that Apple didn’t notarize, I was unable to force it to open by right-clicking and then choosing Open, which was the old standby. Instead, I had to open the Settings app, go to the Security pane, and click through a warning dialog that the app in question was “blocked to protect your Mac.” Once I clicked Open Anyway, I could open the app—but even then, I was forced to put up with another alert, and then forced (as an administrator with full privileges!) to enter my password before the app would launch.
(Apple confirmed this is intentional in a developer note released Tuesday.)
For the past decade, Apple has been trying to tighten the screws on the Mac in order to bring it closer to the level of security offered on iOS. And on iOS, it’s also restricted software features, including a (supremely annoying) feature that repeatedly asks you if you want to continue allowing apps to track your location.
To serve and protect
Here’s Apple’s problem: Apps that track your location, record the contents of your screen, or access your video camera or microphone have the potential to be deeply invasive and violate your privacy in innumerable ways. Since those features are also useful, Apple has built a system of permissions that Apps must request, and then users are prompted to be sure that an app should be granted that kind of access.
You can imagine the scenarios: A domestic abuser installs an app on their partner’s device and grants blanket permission without their knowledge, giving them access to everything they do. Or a scammer convinces a user to install software via social engineering, including clicking exactly the right permissions buttons to grant their software complete control over the user’s system.
One clear way to combat these abuses is to not allow permanent approval but prompt the user later, when they might realize what’s been happening without their knowledge. I get it. It’s a smart approach.
But what Apple’s testing in the latest macOS Sequoia betas is brutal because there’s no end to it. It’s a subscription you didn’t buy and can’t cancel. Yesterday, I was prompted to give temporary permission by an app that I’ve used since the early 1990s to read my screen. Apparently, if I want to use that app, I will just need to keep approving it every so often. Numerous other screen-reading utilities may also be affected.
Asking for permission a second time is not unreasonable for the reasons I mentioned above. But at some point the user must be in charge. When I complain that moves like these by Apple are condescending and insulting because it’s my computer, and I’ll do what I want with it, I’m often confronted by people on social media who insist that Apple’s just looking out for me. What if I agree to something dangerous? Shouldn’t Apple protect me?
My answer is that Apple should try to protect its users but must find a balance between that and the overall experience of using a Mac (or other device). A barrage of permissions dialogs rapidly creates dialog fatigue, where the user will agree to anything if it’ll just let them get back to what they were doing. This sends a subtle signal that the user or the user’s software is doing something that’s potentially wrong. (And if the solution is for developers to update to newer, more privacy-protecting APIs, maybe Apple should tell developers and document them properly.)
Some users will make bad decisions. That’s just reality. The wrong reaction is to take the decision out of every user’s hands to protect the ones who might do something stupid. Apple needs to find that balance, that protects people but gives users freedom to do what they want, however dangerous it might be.
Apple’s recent feature changes suggest a value system that’s wildly out of balance, preferring to warn (and control) users no matter how damaging it is to the overall user experience. Maybe the people in charge should be forced to sit down and watch that Apple ad that mocks Windows Vista. Vista’s security prompts existed for good reasons—but they were a user disaster. The Apple of that era knew it. I’d guess a lot of people inside today’s Apple know it, too—but they clearly are unable to win the arguments when it matters.
Not quite neutral
Some of Apple’s recent behavior also makes this entire situation seem more sinister and frustrating than it should. When Apple introduced a new security regime for macOS in 2018, adding a middle path for apps that were outside the Mac App Store that would allow Apple to cryptographically sign them and scan them for malware, people freaked out that it was the beginning of the end for the Mac as an open platform.
But the advent of app notarization didn’t change the fundamental premise of the Mac: You can still run any software you want on the Mac, if you want. It was a promise an Apple representative made on stage at WWDC 2019, and the company has stuck with it. Unfortunately, the fairly simple workaround to launch non-notarized apps is getting junked up in macOS Sequoia, requiring a visit to System Preferences and approval by the user on launch, which, last time I checked, required entering your password. That’s just overkill. But at least it’s still possible.
Still, Apple’s developer note on this feature gave me pause:
In macOS Sequoia, users will no longer be able to Control-click to override Gatekeeper when opening software that isn’t signed correctly or notarized. They’ll need to visit System Settings > Privacy & Security to review security information for software before allowing it to run.
If you distribute software outside of the Mac App Store, we recommend that you submit your software to be notarized. The Apple notary service automatically scans your Developer ID-signed software and performs security checks. When your software is ready for distribution, it’s assigned a ticket to let Gatekeeper know it’s been notarized so customers can run it with confidence.
It seems reasonable at first glance. If developers want to make it easier for users to launch their apps, they should just get them notarized! It’s that nice middle path again, with no App Store approvals but with some quick scans and cryptographic reassurance. Sounds great. And in the last five-plus years, Apple has treated notarization as it promised, as a neutral scanning system that’s meant to keep users secure, not as a way to extend Apple’s App Store rules elsewhere.
Except back in June, Apple used its iOS notarization process in the EU to make App Store-style policy rejections. Yes, it’s a different process in a specific region, and the whole issue seems to have been cleared up… but it exposed the truth, which is that if Apple wants to use its seemingly neutral notarization process to suppress an app it doesn’t like, it can. It has.
Solving the puzzle
When I discuss this issue on podcasts and social media, most people who respond sound just as frustrated as I am. But there’s also a group who, to their credit, understand the difficult situation Apple is in here. Does Apple not want to make it harder for people to install spyware? Is that not a benefit that outweighs the rest of us having to click through alert dialogs every week?
I appreciate the empathy of those arguments, but they miss an important point: This is Apple we’re talking about. I believe Apple is entirely able to solve difficult problems like this in ways that balance the user experience and the need for protection. I just think, for whatever reason, the company isn’t really trying. The result is a platform that’s teetering on the edge of becoming a user-experience joke akin to Windows Vista.
If you appreciate articles like this one, support us by becoming a Six Colors subscriber. Subscribers get access to an exclusive podcast, members-only stories, and a special community.