Apple builds an amazing ecosystem for all its devices’ users, who can download most apps needed in App Store. Surely, those iOS apps that do not obtain Apple’s approval will not appear in App Store or be accessed by iPhone or iPad users. That’s why many people think that iOS devices are the best place to bring life entertainment, while Google’s Android, an open-source OS, is filled with malware.
So what about Mac App Store? There are so many applications in Mac App Store, yet due to Apple’s policy limitations, some famous and well-received apps do not show up in Mac App Store, including Photoshop, Creative Cloud and Microsoft’s products. In Mac App Store, you can find the app, click Buy or Get button to download and install it to your Applications folder, while you will need to run an installer or open a disk image to install third-party apps that cannot be obtained in App Store. That would be a bad experience for some users who would like to purchase Mac apps.
We all know that Mac App Store will automatically update apps that are installed via this channel, and we believe that Apple will take its responsibility to guarantee the security of these apps. But what about the updates of third-party apps? Who will check out if there is any malware in the software updates? The answer is nobody.
Third-party app developers can check the update by software update modules, and then push updates to users, informing them to download and install software update. Many macOS developers use Sparkle Updater, an third-party, open-source framework used to facilitate software updates, to push out updates for their apps. Last year Sparkle was reported to leave huge number of third-party Mac apps open to attack due to a vulnerability in this updater. The flaw found in certain Sparkle builds allows attackers to insert and execute JavaScript code when affected apps check for software update. So far there is no easy way to know how many third-party apps installed on your Mac are using Sparkle Updater to check for, download and install updates.
That’s how those third-party apps install updates on Mac.Who should be responsible for checking these software to make sure there is no malware hidden in the updates? App developers? Framework developers like Sparkle organization? Or Apple?
Different from iOS App Store, Mac App Store does not cover many popular applications, and though Mac allows for running software from other source, users have to find those apps through other channels like via identified developers. So here’s the conclusion: most security issues for third-party apps lie in their updates. Actually, attackers can take less effort to install malware in millions of Mac devices.
What do you think of the security of 3rd party apps? Share your ideas with us.