Mac users have it easy when it comes to computer security. There’s no need to run resource-hogging anti-virus software, worry about the lion’s share of exploits that specifically target Windows users, and your Mac will even scream at you for trying to install software from an unknown source.
As a result you might think it’s pretty difficult to infect your Mac with malware, but there are always exceptions. Apple’s desktop operating system can be compromised in a number of ways — here’s five of them.
Download Pirated Software
This is probably the most obvious way to put your Mac at risk, and the same is true for Windows users. You could however argue that Windows users are in a better situation purely by virtue of the fact that there are a huge number of virus scanners available for the platform, and most users understand the importance of security software on Windows. Personally I haven’t got a virus scanner on my Mac, and I doubt you have either.
That’s because Apple’s operating system has long been considered a relatively safe platform, but when you install software you’re opening that platform up to third parties. While it’s likely that many (most?) providers of pirated software out there are mostly concerned with making paid software available for nothing, there’s no way to know for sure.
There’s a huge amount of trust involved in running keygens and other third-party activation tools to crack expensive software packages. There’s no way to know what’s been tampered with, and by who. While your Mac sandboxes software by default, anything that asks for an admin override to gain unfettered access to your system should ring alarm bells.
It’s also unwise to trust everything you read in the comment section of your favorite torrent tracker. While the software may indeed work once all of the steps have been followed, many users may not realize they are infected. A blog post by Sophos published in May 2016 mentions infected torrents consisting of a reworked version of iWorks (Apple’s office suite), a reworked version of Xcode (Apple’s developer tool), and even a download of Linux Mint that included Linux-specific malware.
If you don’t want to install more than you bargained for, stick to free alternatives or open your wallet and download software from legitimate sources.
Install Fake Anti-Virus Software
Remember Mac Defender? It surfaced in 2011 and positioned itself as an anti-malware tool that could help you clean up your infected system. The scam was made all the more believable by a fake webpage that warned users they had been compromised, and that installing Mac Defender was the best way to rectify the situation. The problem became so widespread that it prompted Apple to post instructions about removing and avoiding the software.
Generally speaking, the dodgier the website the more likely you are to see such a bogus warning. This goes hand-in-hand with pirated software, though these adverts have a tendency to infiltrate legitimate advertising networks too. Many take control of your browser, flooding you with pop-up dialog boxes that require you hit “Continue” which in turn serves a bogus download.
While online virus scanners do exist, they don’t present themselves as unwanted tabs or start unsolicited scans of your system while you are browsing the web. Many browsers protect against this sort of dishonest and aggressive approach by providing flood protection against dialog boxes, and in the case of some browsers (like Chrome) blocking access to websites altogether.
After lying to you about having an infected machine, scams like this usually install ransomware which requires you hand over some cash in order to remove the software you didn’t need in the first place. There are legitimate Mac antivirus programs available, but you really only need a few free tools for a secure system.
Use Unpatched Flash
The Flash browser plugin is Adobe’s leakiest product, responsible for more of the company’s security issues than any other single product. So far in 2016, more than 200 vulnerabilities have been recorded. It’s also becoming more and more obsolete, as technologies like HTML5 allow modern browsers to perform many of the same tasks natively.
Flash is outdated, poses a security threat and, thanks to a concerted effort by the industry, is currently being phased out. As recently as last year we called for users to uninstall Flash altogether as it’s quite possibly the biggest threat to platform security on any operating system. But don’t just take our word for it — in June 2016 Apple started automatically blocking versions of Flash that are out of date in the Safari browser.
Firefox disabled Flash at one point, and Google’s Chrome browser has long included a sandboxed version of Flash which restricts the plug-in by running it in a secure environment that can’t hurt your PC. If you are running Safari, you can force the browser to ask you to “trust” websites that try to run Flash under Preferences > Security >Plug-in Settings.
It’s worth noting that even running the latest version of Flash doesn’t mean you’re safe, as zero-day vulnerabilities where the vendor (Adobe) isn’t given time to fix the exploit before its details are made public still pose a threat. If you really want to be safe, disable Flash altogether in Safari by unchecking Flash in Preferences > Security >Plug-in Settings, or better yet uninstall it from your system completely.
Enable Java’s Browser Extension
Noticed a pattern forming yet? The biggest security concern faced by Mac users comes predominantly from third-party software. By design, Apple’s operating system is generally pretty secure (but only a fool would believe it’s completely water-tight). Another way of opening your system up to attack is by installing Java and its browser extension, which allows you to run software written in Java right in the browser.
This dialogue could end with "If you've taken leave of your senses you can enable Java in your browser" pic.twitter.com/yMDw2v8ypS
— Ryan Kilfedder (@ryankilf) August 1, 2016
When the technology first arrived in 1995, it was a game-changer and allowed for the development far more advanced web-based software than ever before. But Java’s browser plugin quickly built up a reputation for putting devices at risk, running malicious code within the browser, and untimely updates from Oracle themselves.
The Java Runtime Environment, which allows users to build and distribute standalone apps, has proven to be just as secure as any other development framework; but there have been many flaws in the way the Java browser plugin handles sandboxing. Oracle has demonstrated time and time again that they are unable to secure the technology, and now major browsers have started to phase it out.
So nice, Safari on macOS Sierra will disable all plugins (Flash, Java, Silverlight, etc.) by default. https://t.co/ETVpODcxwR
— puppethead (@puppetdark) June 14, 2016
In 2015 Google’s Chrome browser dropped Java and a few other plug ins entirely, making it impossible for them to run. If you’re using Apple’s own browser, you can disable it entirely by unchecking the relevant box in Safari’s Preferences > Security > Plug-in Settings menu.
It’s unlikely you’ll need to rely on websites that use the Java browser plugin any more, and if you do there are likely alternatives you can turn to that use a more modern technology. For that reason you can uninstall Java and its browser plugin altogether, or at the very least limit your system to the Java Runtime Environment for running local software.
Blindly Trust Apps & Browser Extensions
Since GateKeeper came along, Apple has been meddling in your Mac’s affairs on a third party software level. The technology prevents unsigned applications from running by default, and can even be locked down to only allow software from the Mac App Store to run. This means that by default your Mac can’t just run software from anywhere — you have to disable the feature or override on a per-app basis under System Preferences > Security.
The reality is that most unsigned software is safe, even if it isn’t signed by Apple. Of course there are exceptions, but the reality is that your own discretion is one of the most valuable security tools you have available. Not all developers can justify the cost of enrolling as a trusted developer, and others have to work outside of the boundaries set by the Mac App Store. Many apps that we recommend here at MakeUseOf are not available on the App Store, nor are they signed by a “trusted” developer — but they’re still legitimate apps that won’t harm your system.
App sandboxing exists in OS X to safeguard your machine, which prevents apps from having unfettered access to your system. App permissions also help restrict your computer giving away too much information about you, just like in Apple’s mobile operating system iOS. Your Mac will now ask you if you consent to an app having access to your Contacts, or to manage your Accessibility options.
Some apps require admin-level permissions, and require you enter your admin password upon installing or when trying to perform a certain operation. These are apps you want to keep an eye on, but you don’t necessarily need to distrust all. Most will simply need a higher level of access, like all-in-one Apache, SQL and PHP installer XAMPP, or Duet Display which turns your iPad or iPhone into a second display but requires the installation of a driver in order to do so.
Other apps may pose a risk — some third party tweaks apps may ask for admin-level permissions to run sudo commands, which you could just run yourself in Terminal. The more obscure the app, the higher the risk — above all avoid apps that are hosted on file lockers like Mega or cracked apps downloaded via BitTorrent.
Browser extensions should also be treated with the same level of scrutiny. Whenever you add a new extension to Chrome, Firefox, or Safari, you’re explicitly allowing another piece of code to run inside your browser. While attempts are made to mitigate this sort of intrusion using measures like Chrome’s permissions system, many browser plugins ask for full access to your browsing data. They can be used to scrape personal information and credentials, and even insert adverts into web pages without your knowledge.
As a result, question every browser extension you have installed. On Safari, you can head to Preferences > Extensions and click on a browser to reveal the Uninstall option. Regardless of which browser you’re using, it’s better to get rid of extensions you rarely or never use to free up space, resources and revoke unwanted access to your browsing data.
Sometimes apps you trust that are already installed can put you at risk, though these occurrences are few and far between. In March 2016 it was found that an update to trusted Mac BitTorrent client Transmission was infected with ransomware, which compromised your Mac simply by installing the update. Fortunately developers pulled the update and issued a new version, as well as instructions for removing the update altogether.
Don’t Be Scared
Security is one of the things Apple has a history of getting right. As more people buy Macs, and Microsoft tightens up security on their end, malware developers often turn their gaze towards Apple. The reality is that the pay-off is still relatively low due to a small installed user-base, so your Mac isn’t as big a target as you probably think it is.
The biggest threat to your Mac usually comes from third-party software like web plug-ins and browser extensions that harvest your information. Many such exploits can be used across multiple platforms, so the pay-off is bigger. Fortunately the reliance on security risks like Flash and Java is waning, as the technologies are phased out in favor of more secure modern technologies.
Most Mac users are used to not requiring any additional security software, and that’s largely true. You still may want to exercise a bit of common sense when installing software and providing admin-level access to applications that request it though — just to be safe.
Have you ever had an infected Mac? Tell us all about your security problems (or lack of them) below.