My school required everyone to install a process scanner with root privileges in order to join WiFi. I showed people how to install the school's spyware in a virtual machine isolated from the host.

Why do you need a java app at all? Secure forms complete with media are a webpage.

Unless the ATO wants you to play a Descent-style game to navigate their bureaucracy?

The title is a bit unsubstantiated. Many apps request this permission for global hotkeys.

If it is a Java app, it should be easier to decompile and inspect.

TLDR: Old mouse event code in the JRE causes this prompt. AUSid hasn't been updated since 2017.

I downloaded the dmg and extracted the contents, it's a launcher for a JavaFX application with a bundled JRE 8.

The java code isn't obfuscated, and I don't see anything particularly interesting, but it would require going through a lot of code.

However, the build and file modification dates are all 2017, which is pre-Catalina. Catalina of course introduced this permission warning.

I instead did a quick Google for JRE bugs with this issue and it didn't take long to find this issue raised with OpenJDK: https://bugs.openjdk.java.net/browse/JDK-8231513

In particular, this comment: https://bugs.openjdk.java.net/browse/JDK-8231513?focusedComm... explains it's to do with mouse tracking around window resizing.

Another case of "never attribute to malice that which is adequately explained by stupidity"...