Search Unity

  1. Good news ✨ We have more Unite Now videos available for you to watch on-demand! Come check them out and ask our experts any questions!
    Dismiss Notice

Unity Hub - a security risk?

Discussion in 'Unity Hub' started by transat, Oct 13, 2019.

  1. transat

    transat

    Joined:
    May 5, 2018
    Posts:
    772
    I've updated my mac to Catalina. That OS warns you when apps try to gain access to certain parts of the system. For Unity Hub, I was asked... if I wanted to allow the Hub to access keystrokes from any other application I use. Hmm. Please explain, Unity!
     
    luispedrofonseca likes this.
  2. transat

    transat

    Joined:
    May 5, 2018
    Posts:
    772
  3. luispedrofonseca

    luispedrofonseca

    Joined:
    Aug 29, 2012
    Posts:
    860
    I just got this message and I'm curious as well. Why would Unity Hub need access to "keystrokes"?
     
    mkracik likes this.
  4. AbrahamDUnity

    AbrahamDUnity

    Unity Technologies

    Joined:
    Jun 28, 2017
    Posts:
    430
    Hi @transat,

    This was related to Catalina security requirements in Unity. Since the Hub launches Unity it detected the Hub as wanting to listen for keystrokes. This issue was fixed in the Editor so chances are you won't see this in future releases.

    Cheers,
     
    transat likes this.
  5. transat

    transat

    Joined:
    May 5, 2018
    Posts:
    772
    Now it's wanting to "record my screen"! :-/
     
  6. AbrahamDUnity

    AbrahamDUnity

    Unity Technologies

    Joined:
    Jun 28, 2017
    Posts:
    430
    Again, I'm unsure of what kind of warnings Catalina might display. I can assure you the Hub isn't trying to capture your keystrokes, screen content, funny cat pictures etc. Please remain patient. We're working hard on supporting the new MacOS release.
     
    transat likes this.
  7. transat

    transat

    Joined:
    May 5, 2018
    Posts:
    772
    I clicked on "approve" when it asked for my funny cat pictures. The world needs to see them.
     
  8. SultanFreeman

    SultanFreeman

    Joined:
    Oct 23, 2019
    Posts:
    1
    well i installed Unity hub on Catalina OS today but i can't open it
     

    Attached Files:

    CatastropheZero likes this.
  9. AbrahamDUnity

    AbrahamDUnity

    Unity Technologies

    Joined:
    Jun 28, 2017
    Posts:
    430
    Yes @SultanFreeman, that's what this thread is about. We're working on it.
     
    CatastropheZero likes this.
  10. luispedrofonseca

    luispedrofonseca

    Joined:
    Aug 29, 2012
    Posts:
    860
    Hey @AbrahamDUnity, any update on this? This is a pretty serious security issue and the lack of a reasonable explanation as to why it's happening is concerning to say the least.
     
  11. safaGH

    safaGH

    Unity Technologies

    Joined:
    Mar 12, 2019
    Posts:
    220
    Hello, We are working on the notarization of the hub and it will be shipped with the version 2.2 of the hub. There is no security issues to be worried about, it's just that Catalina has higher requirements for applications to be considered secure.
     
  12. luispedrofonseca

    luispedrofonseca

    Joined:
    Aug 29, 2012
    Posts:
    860
    Thanks @safaGH, but saying that it's going to be fixed on the next release doesn't explain why the Hub is currently asking for permission for recording the screen and access for keystrokes.
     
  13. AbrahamDUnity

    AbrahamDUnity

    Unity Technologies

    Joined:
    Jun 28, 2017
    Posts:
    430
    Hi @luispedrofonseca,

    Like my colleague mentioned we are putting most of our efforts towards this for our next release. You can expect an update in the coming weeks. As I wrote earlier this is happening because of Apple's stricter security policy which requires us to update a significant portion of our framework dependencies. I hope this clarifies the situation.

    Cheers,
     
  14. AbrahamDUnity

    AbrahamDUnity

    Unity Technologies

    Joined:
    Jun 28, 2017
    Posts:
    430
    Also the messages about recording screen and keystrokes are not necessarily related to the Hub. Since the Hub launches Unity these warnings may also be related to the editor (which are also addressed by other teams in parallel). In any case you can expect all these warnings to go away once we address the issue.
     
  15. luispedrofonseca

    luispedrofonseca

    Joined:
    Aug 29, 2012
    Posts:
    860
    Sorry @AbrahamDUnity, but it doesn't. You're telling me exactly the same thing your colleague did. "It's going to be fixed soon".
    What I want to know is why it is happening right now, on the current version!

    [EDIT]

    You made a second reply while I was writing. That makes a bit more sense but still a bit weird to be honest. Looking forward for the next release.
     
  16. AbrahamDUnity

    AbrahamDUnity

    Unity Technologies

    Joined:
    Jun 28, 2017
    Posts:
    430
    Also @luispedrofonseca, let me be clear on a few points:
    • The Hub does not and never has attempted to record users's screens.
    • The Hub only listens for keystrokes when one of its windows is open and focused (for capturing form inputs and shortcuts) and never has attempted to record keystrokes at any other time.
    We are as confused as you are about those warnings and hope that this is just an issue with the way MacOS treats our application until we submit it to them for verification (notarization). We are also testing locally with Catalina to make sure our latest release no longer shows these warnings.
     
    IvanWullems and luispedrofonseca like this.
  17. luks0r

    luks0r

    Joined:
    Apr 7, 2015
    Posts:
    2
    Thank you Abraham. Currently I cannot install any version of Unity2019.2 on OS X Catalina 10.15.1.

    When I attempt to install from the Hub, it fills up the downloaded progress bar and then just disappears, doing nothing and signaling nothing in the Security Settings panel.

    If I attempt to install Unity 2019.2.11f1 via the Mac downloader, it says "Unity Download Assistant" can't be opened because Apple cannot check it for malicious software".

    I'm assuming this is what is resolved in Unity Hub 2.2, and this is what this thread is about. Am I missing any other workarounds or am I stuck on waiting until 2.2 is released?

    Thanks,
    -Steve
     
  18. AbrahamDUnity

    AbrahamDUnity

    Unity Technologies

    Joined:
    Jun 28, 2017
    Posts:
    430
    @luks0r please report a bug in the Hub's bug reporter. We may be able to gather something from your logs. If you wish to follow up the conversation in the forums please open a new thread as this isn't directly related to Hub support for Catalina (since from what I understand you went past the security warning).

    Thanks,
     
    luks0r likes this.
  19. eladleb4

    eladleb4

    Joined:
    Apr 25, 2016
    Posts:
    35
    Unity hub still trying to record my screen.
    Are you still working to resolve this...?

    This popped up when trying to choose a color using the color picker in the unity editor.
     

    Attached Files:

  20. DanielTG

    DanielTG

    Unity Technologies

    Joined:
    Feb 15, 2018
    Posts:
    109
    Hi @eladleb4, this is related to the version of the Editor running which is not notarized for Catalina. Since the Hub is the parent process of the Editor in this case, macOS reports it as the Hub. You’ll see a similar message from the terminal if you open your project directly from the Editor command line interface.

    newer releases of Unity have already addressed this issue.

    please note, we released Hub 2.2.2 yesterday that is unfortunately not notarized for macOS Catalina. You won’t notice any Hub specific warnings except when you download and install the application again directly from our website.

    hope this helps
    Thanks
    Daniel
     
    eladleb4 likes this.
  21. octo-user1

    octo-user1

    Joined:
    Jan 30, 2020
    Posts:
    1
    Today is Jan 30, 2020. I just downloaded the latest version yesterday and it is now telling me that Unity would like to record my screen. It has been about 3 months since this issue came up. Does anyone know what is going on?
     
  22. transat

    transat

    Joined:
    May 5, 2018
    Posts:
    772
    @octo-user1 The government asked UT for an extension as they hadn’t gathered enough data on you yet.

    Either that or UT doesn’t take security all too seriously. ;)
     
    Last edited: Jan 31, 2020
  23. luispedrofonseca

    luispedrofonseca

    Joined:
    Aug 29, 2012
    Posts:
    860
  24. transat

    transat

    Joined:
    May 5, 2018
    Posts:
    772
    Looking at my Privacy system preferences though, I've not allowed access to the Hub or Editor and everything is working fine. And I haven't been asked to allow any kind of recording in ages. @octo-user1 what version of the Hub and editor are you using?
     
  25. luispedrofonseca

    luispedrofonseca

    Joined:
    Aug 29, 2012
    Posts:
    860
    Another fun one: "Unity Hub would like to access your reminders."

    @AbrahamDUnity @DanielTG How's the work on these issues going?
     

    Attached Files:

  26. AbrahamDUnity

    AbrahamDUnity

    Unity Technologies

    Joined:
    Jun 28, 2017
    Posts:
    430
    @luispedrofonseca @transat,

    As my colleague @DanielTG mentioned we had to back out of Catalina support in December because of other regressions caused by the notarized version of the Hub. However the next release of the Hub will support the latest macOS version. We are making sure it's as stable as possible. Thanks again for your patience.

    Cheers,
     
    luispedrofonseca likes this.
  27. sama-van

    sama-van

    Joined:
    Jun 2, 2009
    Posts:
    1,643
    Just got this... kinda amazing o_O....
     

    Attached Files:

  28. luispedrofonseca

    luispedrofonseca

    Joined:
    Aug 29, 2012
    Posts:
    860
  29. transat

    transat

    Joined:
    May 5, 2018
    Posts:
    772
    Is this still happening? Wow.

    Imagine those Unity developers in Hong Kong and mainland China who have no choice but to use the China-only version of the Hub. They'd have to be extremely brave to allow it to record their screen or keystrokes amongst other things. But the fact there even is a China-only version of the Hub (no other country has this) shows that Unity frankly doesn't care about their safety. And perhaps even more worrying is that it's a massive backdoor to allow the Chinese government to do supply chain attacks on scale - so it's also a security risk to anyone who uses apps made by those developers.

    https://arstechnica.com/information...ltiple-game-developers-with-advanced-malware/
    https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/
    https://docs.microsoft.com/en-us/wi...-protection/intelligence/supply-chain-malware
     
  30. AbrahamDUnity

    AbrahamDUnity

    Unity Technologies

    Joined:
    Jun 28, 2017
    Posts:
    430
    @sama-van this should no longer happen. What version of Unity are you trying to launch? I ask because the Hub launches Unity so it inherits its permission requests.
     
  31. sama-van

    sama-van

    Joined:
    Jun 2, 2009
    Posts:
    1,643
    2020.2.0a13 and 2020.1.0b12.
    I cannot really say which version triggered it... and it did happen once only :)
    Still surprising!
     
  32. AbrahamDUnity

    AbrahamDUnity

    Unity Technologies

    Joined:
    Jun 28, 2017
    Posts:
    430
    @sama-van Good to hear. We haven't found a good way to spawn the Editor as its independent process across all supported platforms so this problem might reoccur if Unity needs special permissions. As long as you're working in Unity it is safe to assume the Hub isn't the actual process requesting access. Sorry for the inconvenience.

    Cheers,
     
  33. luispedrofonseca

    luispedrofonseca

    Joined:
    Aug 29, 2012
    Posts:
    860
    @AbrahamDUnity So you're telling us that you still don't have a clear idea of what permissions, or why, Unity needs? What are those special permissions you're referring to? This is getting beyond ridiculous to be honest.
     
  34. AbrahamDUnity

    AbrahamDUnity

    Unity Technologies

    Joined:
    Jun 28, 2017
    Posts:
    430
    @luispedrofonseca I meant the Editor needs access to your screen and keyboard (obviously) but we haven't figured out a good way to display these access requests as coming from the Editor and not the Hub. Since the Hub launches the Editor MacOS associates those permissions with the Hub.
     
  35. JPBA1984

    JPBA1984

    Joined:
    Jan 23, 2014
    Posts:
    6
  36. AbrahamDUnity

    AbrahamDUnity

    Unity Technologies

    Joined:
    Jun 28, 2017
    Posts:
    430
    @JPBA1984 Thanks for the link! I don't think it's the Hub's responsibility to justify all of Unity's access requests but I'll keep this in mind if asked about screen capture permissions.

    Cheers,
     
  37. dejarajs

    dejarajs

    Joined:
    Dec 11, 2012
    Posts:
    20
    We have 2019.4.10f1 and I am not sure why it needs the screen recording permission. Is there something we need to be concerned about? Is unity capturing user actions for analytics without consent?
     
  38. firstuser

    firstuser

    Joined:
    May 5, 2016
    Posts:
    51
    Just FYI sometimes something as simple as trying to use the color picker tool will ask for this.
     
unityunity