You may not need to read this column for yourself, but read it nonetheless and help those with less wariness take better heed: Don’t download software for OS X from anywhere but the developer’s own website or Apple. Period.
For many longtime Mac users, this is obvious advice. Long ago, maybe even with System 6 or 7, you learned the hard way or through observation about malware, including both viruses and Trojan Horses. Maybe it came later, after the Internet grew, but many developers couldn’t afford fast pipes or enough bandwidth, and you wound up getting installers for software that were larded with crap.
Congratulations to you for having gotten so savvy, but there are an untold millions of Mac users who didn’t go through those tough lessons or observations. Many download sites have tweaked their “Google juice”—aka their search-engine optimization or SEO–so that they appear as a result above the legitimate developer of a software product. That developer has likely not authorized them to offer their product for free download, because there’s no benefit to the software maker to have someone go to another site, and a lot of room for blame if something goes wrong.
For free, freemium, or trial software, many users will search for the name of the product and click the top link, or a sponsored link from one of these sites. (Many users are, unfortunately, also looking for “free” downloads of commercial software, or cracked freemium software that offers the premium features without paying for a license code.)
But the experience last week of a user noticing that a download of Skype from MacUpdate was wrapped in an installer that contained adware and trialware reminds me to run the flag up the pole again to remind folks who weren’t aware—and to ask all of you who understand the issue to help your friends, colleagues, and family avoid these risks.
Consider the source
Typically, you can find the appropriate site for a developer by simply scrolling down and looking carefully. When I search for “download Skype Mac” on Google, half the links that fit into the first browser view are for third-party download sites. However, Skype.com is the very top link. It’s less adorned, however, lacking the review stars that Google enhances the download sites’ free links with. (If you think this is obvious, do the search, and without looking closely, hover over the one you think is the best match. Was it Skype.com?)
Finding reviews of products at reputable sites (ahem, ahem) with links to the developer’s site is also a good indication you’re in the right place. You can also use social media, like Twitter, to find a developer’s account, from which you can then find their authorized website. Most of the time, only the most-popular applications are being hijacked.
Apple’s Mac App Store is just old enough that it rode the end of an expensive-bandwidth period, and Apple’s 30-percent cut included the price of downloads and the cost of success: Ostensibly, a user will never be unable to download a program from the App Store due to a server being overloaded, which could otherwise scotch a sale. This is part of why 30 percent seems far too huge now. But even with researchers finding holes related to App Store approval and security this year, it remains safe.
The only difficulty people may face is with Gatekeeper, found in the Security & Privacy preference pane as Allow Apps Downloaded From. Some developers choose not to go through the steps necessary to get a certificate from Apple with which they can cryptographically sign apps they release directly. I certainly don’t recommend setting Gatekeeper to Anywhere, because that allows any downloaded app to be run. Rather, keep it set to “Mac App Store and Identified Developers,” and then, after vetting the downloaded app is legitimate, you can always right-click the app in the Finder, select Open in the contextual menu, and confirm you want to run it.
One friend who works in the library world says there are a surprising number of useful, free, minimally supported, unsigned apps for that market. Several utilities I use, typically obscure, are also unsigned. But in all cases, downloading them from the developer’s site minimizes risk. (Signed apps can be bad news, too, but Apple can pull the maker’s certificate centrally, killing its approval everywhere through Gatekeeper.)
In 2015, there’s zero need for a developer to host their software downloads elsewhere. I pay about $100 a month for a virtual private server (VPS) at Linode that includes 3 terabytes (TB) of data transfer—yes, three terabytes—on top of the actual function, which is a high-performance, SSD-based server with a gigabit-per-second Internet link.
Those 3TB are constrained by the input/output of that single server, so if I worry about hundreds or thousands of simultaneous downloads, I can shift to Amazon S3 starting at 9 cents a gigabyte (or $90 per terabyte) for downloads. There are cheaper options, too, with content-distribution networks (CDNs).
So a developer that preferentially works with a software-download site, referring visitors to their website to a link at one of those locations, is almost always doing so because they receive compensation from the site, which in turn gets paid based on software that’s installed or subscriptions started from bundled packages. How-To Geek looked at the top 10 Windows downloads from Download.com earlier this year, and what was installed, and it’s appalling. It’s an entire economy built around installing stuff that people don’t want and that doesn’t help them.
I can’t think of any Mac software from a major company or independent developer that I’ve seen distributed this way since these sites started to turn into adware-distribution centers a few years ago. MacUpdate was trusted until now, but appears to have pivoted its model so that it bundles some downloads with third-party installers and software for those who aren’t paid subscribers. (I sent a query to MacUpdate about this issue, and haven’t heard back.)
Every day I receive email to Mac 911 from people who inadvertently downloaded an installer package that contains MacKeeper or similar unnecessary or even harmful third-party software. It typically begins, “I know I shouldn’t have installed this…” Go with that impulse: If the first screen you see looks wrong, stop, drop, and roll that file away.