Occasionally, answers on this site include software recommendations. Let’s assume a "legitimate developer" pretends to have created a useful application that is (secretly) capable of doing harm. How can I be sure I do not install something that contains malicious code or a root kit, especially if it is closed-source software?
MacOS – Avoiding malware in recommendations
macosmalwareSecurity
Related Solutions
The safest way to ensure removal of live malware is to (re)boot from external media and to then re-install the OS and all your apps and executables.
Web browsing
The largest potential danger comes from the "Internet". My Mac is online most of its operating time and web browsers are among the most used applications on my Mac.
Therefore, the most important rules are:
- surf the web carefully
- don't just download any software you find
Browser choice
The browser choices, configurations and extensions offers various options to configure your security and privacy.
I like to use Chrome because it's known for having
- strict sandboxing
- updates itself, its extensions and flash plug-in automatically
- open extension design
Safari's extension design is more restricted, causing the JavaScriptBlocker for Safari not to be as functional as similar extensions for Chrome or Firefox: e.g. Web Bugs are not blocked.
Chrome is considered quite safe. It did not get exploited at the Pwn2Own hacking contest three years in a row (2009-2011). 2012 is the first year a team presented the use of a zero-day-exploit in Chrome.
The German Federal Office for Information Security (BSI) (similar to the NIST in the U.S.) recommends the use of Chrome because of its sandboxing technology and auto-updates.
Java
Chrome has disabled Java by default and asks you every time when it's required to run. You can disable Java for Safari as well. You won't miss it most of the time:
- Safari Preferences → Security → uncheck Enable Java
- Open
/Applications/Utilities/Java Preferences.app→ uncheck Enable applet plug-in and Web Start applications
Other options
- System Preferences → General → check Automatically update safe downloads list
Open Safari downloads manually:
- Safari Preferences → General → uncheck Open "safe" files after downloading
Flash and PDF viewer
Download Adobe flash only from the official website. However, you don't need to update it manually anymore. The latest Flash update for Mac adds auto-updates.
In Safari, you can use the ClickToFlash extension to manually allow flash to run in your browser.
You don't need to use Adobe's PDF viewer. Apples's preview works in Safari as well. You can remove the Adobe plug-in here:
/Library/Internet Plug-ins/AdobePDFViewer.plugin
Passwords
For creating passwords you can use the Password Assistant provided by OS X. Go to /Applications/Utilites/Keychain Access.app → click the plus at the bottom left → click the key symbol.
Adblock lists
The Adblock and Adblock Plus extensions offer lists to improve your privacy and security.
The lists are named:
- EasyPrivacy: privacy protection
- Malware Domains: malware protection
- Antisocial: blocks social integration.
Related Question
- MacOS – Eliminate com.adobe.ARMDC.Communicator.plist malware
- Advice on securely removing malware
- How to debug malware popups in Safari
- Possible malware called FISE in Accessibility (Privacy & Security)
- Removing randomwhere, malware(leadingsignsearch) from [Security & Privacy] – [Full Disk Access]
- MacOS root password & malware
Best Answer
Sadly, malicious code can be so small and obfuscated in an infinite number of ways so you can't simply make a rule to test a package to tell if it's good or bad.
Statistically, people have established some guidelines like trying to know the source (typing in the web address directly and not trusting a link, not downloading it from an alternate site, insisting that it be code-signed and verifying the package check sum before installing executables), but these are indirect remedies.
Apple maintains a page with links to most security information here:
Additionally, you could insist that all software that you run is signed by a legitimate developer to reduce the likelihood that someone has added a key logger to the game you just downloaded.
Lastly, after several delays, Apple has released GateKeeper to effectively sandbox software so that it has to explicitly list the things that it does (like access the address book, or modify files without user interaction) so that you can only let the system run code that obeys the sandbox rules. From a consumer perspective, you can prevent all code from running while you do whatever checks you feel are appropriate before allowing that code to run on your Mac.