{"id":28618,"date":"2020-04-10T14:16:00","date_gmt":"2020-04-10T18:16:00","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=28618"},"modified":"2020-11-27T13:09:40","modified_gmt":"2020-11-27T18:09:40","slug":"zoom-installation","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2020\/04\/10\/zoom-installation\/","title":{"rendered":"Zoom Installation"},"content":{"rendered":"

Felix Seele<\/a> (Hacker News<\/a>):<\/p>\n

\n

Ever wondered how the \n@zoom_us\n macOS installer does it’s job without you ever clicking install? Turns out they (ab)use preinstallation scripts, manually unpack the app using a bundled 7zip and install it to \/Applications if the current user is in the admin group (no root needed).<\/p>\n<\/blockquote>\n\n

Cabel Sasser<\/a>:<\/p>\n

The true Zoom experience begins with the installer. You have the standard list of steps on the left. The sheet comes down that says “This package will run a program to determine if the software can be installed.” You click Continue. The installer quits. It’s done. WTFFFFF<\/p><\/blockquote>\n\n

Kyle Howells<\/a>:<\/p>\n

\n

This, and every Zoom controversy, makes sense if you think of it this way.\nThey value easy of use above all else.\nAbove being a good platform citizen, above security, above everything.<\/p>\n

Like most start ups maximise engagement and growth above all, Zoom maximises ease of use.<\/p>\n<\/blockquote>\n\n

Eric Slivka<\/a>:<\/p>

Zoom CEO Eric Yuan responded to Seele<\/a>, noting that while the installation method was “implemented to balance the number of clicks given the limitations of the standard technology,” he recognized the issue and promised to “continue to improve.”<\/p>

Zoom has now updated its Mac app installer to no longer use the preflight installation method, instead using a traditional installation authorization process, as noted by The Verge<\/a><\/em>.<\/p><\/blockquote>\n\n

mmastrac<\/a>:<\/p>\n

\n

\tI noticed while installing WebEx today that the installer immediately terminated itself after popping up the pre-installation script.<\/p>\n

Running strings<\/code> on the installation plugin (CWSPkgPlugin.bundle) shows why - it’s using a similar process to what Zoom does<\/p>\n<\/blockquote>\n\n

Oliver Hunt<\/a>:<\/p>\n

\n

Ok, so given sandboxing exists, I feel it should be possible to make it so that installers can’t write to the file system (or poll the network) while the preinstall scripts are running[…]<\/p>\n<\/blockquote>\n\n

Cabel Sasser<\/a>:<\/p>\n

One thing that freaks me out about Zoom is that there are no Retina images on first launch, but later they just kind of… appear. I do wonder if they’re not there in the first place because of this “Reitna” typo<\/p><\/blockquote>\n\n

Charlie Fish<\/a>:<\/p>\n

\n

Is there ANY legit reason why \n@zoom_us\n needs admin privileges to support retina display on macOS? Never seen an application require admin privileges to use retina display.<\/p>\n<\/blockquote>\n\n

Guilherme Rambo<\/a>:<\/p>\n

\n

The initial download of the app doesn’t include retina assets, so they have to be downloaded and installed separately (why that requires admin privileges, I don’t know). Yet another “feature” they implemented without thinking about the implications.<\/p>\n<\/blockquote>\n\n

Dan Amodio<\/a> (Hacker News<\/a>):<\/p>\n

\n

zoomAutenticationTool will run whatever script you give it, and ask you to authenticate as System. It’s like they wrote their own sudo tool.. Don’t think you can weaponize but weird practice.<\/p>\n<\/blockquote>\n\n

Previously:<\/p>\n