Should I be cautious about entering my password when installing a free app (HashTab)

[Ocean Sea]

I found a free checksum app that suits my needs called HashTab

There is one snag, it comes in an "installer" package and it wants me to enter my system password to install the app. Am I right to be cautious about entering my system password for a free app.

A couple of other reasons why I am a little cautious. On the site I found it on it there are only acouple of people using it. And the same goes for macupdate

Am I being paranoid?

 

[miles01110]

You're being asked for your password because in order to install anything OS X makes sure you have administrator privileges to do so.

That being said, unless you trust the source of whatever you're installing you shouldn't install it. Once you enter the password, the program can basically do whatever it wants.

 

[old-wiz]

I tend to be a bit paranoid about installing free apps. If it's something that's widely used and well known like Firefox, I go ahead. However, if it's something little known I tend to skip it.

 

[Ocean Sea]

You're being asked for your password because in order to install anything OS X makes sure you have administrator privileges to do so.

Being a mac newbie I thought that was standard procedure, that OSX would ask for my password every time I installed a new app. However I have installed a few that didn't require my password. I simply dragged the apps to my app folder and they worked.

As a newbie, I am presuming that that type of 'password-less' app is 'safer' than one that requires a password.

 

[miles01110]

However I have installed a few that didn't require my password. I simply dragged the apps to my app folder and they worked.

Right, I thought about that right after I responded the first time. Those are more self-contained apps that don't need to put files elsewhere on your system. If you download them you should get the warning "This is an application you downloaded from the internet..." so it at least makes you think about it.

As a newbie, I am presuming that that type of 'password-less' app is 'safer' than one that requires a password.

It really depends...there's not a general rule.

 

[Ocean Sea]

It really depends...there's not a general rule.

Yeah I suppose its a bit naive for me to generalize like that. Having the souce code freely available would be another reassuring point, right?

I love OSX and I am glad I made the switch but part of me preferred the 'Windows way' that I was able to directly scan a downloaded app file with say AVG Free and Spybot Search and Destroy and have that bit more peace of mind that the file contained no nasties.

I wish some one would create a good free anti spyware app for OSX.

 

[GGJstudios]

Yeah I suppose its a bit naive for me to generalize like that. Having the souce code freely available would be another reassuring point, right?

I love OSX and I am glad I made the switch but part of me preferred the 'Windows way' that I was able to directly scan a downloaded app file with say AVG Free and Spybot Search and Destroy and have that bit more peace of mind that the file contained no nasties.

I wish some one would create a good free anti spyware app for OSX.

There are no viruses that run on current Mac OS X and trojans/spyware are very few. As long as you're getting software from reliable sources, you shouldn't have a problem, even with free apps (of which there are thousands). Your greatest risk would be installing pirated apps you download from torrent sites. If you're not doing that, you should be fine.

 

[Ocean Sea]

There are no viruses that run on current Mac OS X and trojans/spyware are very few. As long as you're getting software from reliable sources, you shouldn't have a problem, even with free apps (of which there are thousands). Your greatest risk would be installing pirated apps you download from torrent sites. If you're not doing that, you should be fine.

No, no warez or anything like that. But I love free apps like Textwrangler, The Unarchiver, Burn, VLC, Handbrake etc.

And while the 'no viruses on OSX' argument is fairly sound, I [think] I see a gaping hole for spyware like keyloggers on OSX. Maybe its 'cause I am a new OSX user, but I feel kinda naked just installing apps without scanning them!

 

[jtara]

It's not the app that is asking for your password, but the OS. So, the app isn't capturing your password. The OS gives the installer process "root" privileges, and then the installer has the ability to write to any file or directory on your system. Once the installer is done, the application has no special privileges. (Unless it left special goodies around, such as a "suid" executable.)

I'm afraid that I'm unfamiliar with all of the details, but the OS takes a number of steps to prevent installers from spoofing the password request. For example, the password request dialog will be the only thing on-screen that will accept entry - the rest of the desktop will be "greyed out" and it will be impossible to interact with. In theory, it's impossible for an application to put the GUI in that state, so you should be reassured that it is the system asking for the password, not the installer itself.

The reason the application needs the root privilege is because it needs to install some files in system directories.

You normally have access to the Applications directory because of the way OSX sets-up group privileges by default. Your normal account will normally have access to write to the Applications directory. That's why you can just drag applications into there. Some applications need nothing more than this to be properly installed. Frankly, this isn't the safest way to set-up your machine, as any program you run could potentially alter the Applications directory!

So, the bottom line is you are right to be concerned about any third-party application you install. I don't think you have to be concerned about password capture, though, but you should be concerned about what it might do during installation.

 

[GGJstudios]

No, no warez or anything like that. But I love free apps like Textwrangler, The Unarchiver, Burn, VLC, Handbrake etc.

And while the 'no viruses on OSX' argument is fairly sound, I [think] I see a gaping hole for spyware like keyloggers on OSX. Maybe its 'cause I am a new OSX user, but I feel kinda naked just installing apps without scanning them!

The apps you mention are all fine, as are thousands more. No worries about keyloggers with those, either. A good bet is to search this forum with the name of any app you're not sure about, to see what others have said about that app. MRoogle makes it easy to search this site, and will help you find answers to just about any question you can come up with. They've all been asked dozens, if not hundreds of times before.

 

[Ocean Sea]

It's not the app that is asking for your password, but the OS. So, the app isn't capturing your password.......

That's very interesting. When you explain it like that, it makes me somewhat less suspicious about entering passwords for free apps.

Caution is the best way forward.

A good bet is to search this forum with the name of any app you're not sure about, to see what others have said about that app. MRoogle makes it easy to search this site, and will help you find answers to just about any question you can come up with. They've all been asked dozens, if not hundreds of times before.

Thats a great point. There is a huge amout of info in these forums but I have to say the built-in search facility is poor (and hence a reluctance to use it) but that MRoogle could be just the ticket.

Cheers. Thanks for the tip.

 

[Ocean Sea]

Just to finish up, I have gone for Checksum 1.9 (and on macupdate)

I searched HashTab on MRoogle but it didn't turn up much (good or bad).

I searched Mroogle for Checksum 1.9 website and foud quite a few posts frompeople using his stuff. He has also published the source, Its quite a small app 295K and no need fo my password!!

On the downside it doesn't do cover as many checksums as HashTab but it's not a bad compromise .And maybe I'll find out more about HashTab or its developer to satisfy me.

Thanks to all for the help

 

[jbz]

Check out feedback about the windows version. It has been around for years and is pretty well regarded. The osx version is pretty new, but I doubt you would have a spyware version on osx and a clean version on windows. Also check out softpedia's mac site. They have validated it is 100% spyware free.

Just to finish up, I have gone for Checksum 1.9 (and on macupdate)

I searched HashTab on MRoogle but it didn't turn up much (good or bad).

I searched Mroogle for Checksum 1.9 website and foud quite a few posts frompeople using his stuff. He has also published the source, Its quite a small app 295K and no need fo my password!!

On the downside it doesn't do cover as many checksums as HashTab but it's not a bad compromise .And maybe I'll find out more about HashTab or its developer to satisfy me.

Thanks to all for the help

 

[Ocean Sea]

The osx version is pretty new, but I doubt you would have a spyware version on osx and a clean version on windows.

That's a fair point. Its just with the lack of any OSX users using it made me cautious. But I suppose it being new for OSX would help explain that.

Also check out softpedia's mac site. They have validated it is 100% spyware free.

It's amazing, I have searched for apps before and come across sites like softpedia and their certification that such-and-such app was 100% spyware free and I never really paid any attention to those certifications. I suppose it was cause I was on Windows and I'd scan the apps myself. But it looks like they may just have become very relevant for me! (I am presuming Softpedia's certification would be credible?)

Thanks for the great tip, jbz. Cheers.

 

[GGJstudios]

It's amazing, I have searched for apps before and come across sites like softpedia and their certification that such-and-such app was 100% spyware free and I never really paid any attention to those certifications. I suppose it was cause I was on Windows and I'd scan the apps myself. But it looks like they may just have become very relevant for me! (I am presuming Softpedia's certification would be credible?)

It does sometimes take a while for a Windows user to adapt to the "Mac world", but rest assured: as long as you're not downloading what you know to be pirated software from file sharing sites, and as long as you're downloading software from established sites, you basically don't have anything to worry about. In Windows, there is (appropriately) a preoccupation with viruses and malware. With Mac OS X, you're free from 99.98% of that, and it's highly unlikely that the average Mac user will ever encounter the remaining .02%.

You can find lists of essential applications in this thread, as well as these sites: here and here and here.....and here.

Just enjoy your new Mac and let your mind be at ease.

 

[pcs are junk]

Yeah I suppose its a bit naive for me to generalize like that. Having the souce code freely available would be another reassuring point, right?

I love OSX and I am glad I made the switch but part of me preferred the 'Windows way' that I was able to directly scan a downloaded app file with say AVG Free and Spybot Search and Destroy and have that bit more peace of mind that the file contained no nasties.

I wish some one would create a good free anti spyware app for OSX.

try googling clam xav, i use it and it is great. its a free anti virus software designed for mac, and it lets you scan any file you want. so therefore you should be able to scan the download file, just like in windows xp, but on a mac.

 

[Ocean Sea]

try googling clam xav, i use it and it is great.

Thanks for that tip. I had looked at it before (briefly) but for some reason I thought it might be a bit gimmickie or amateurish. I think I thought because its not got a company like AVG or whoever behind it that it might not be up to date, or maintained as actively as I would expect an anti malware app to be.

However I am going to take another more in depth look at it- thanks.

 

[Ocean Sea]

You can find lists of essential applications in this thread, as well as these sites: here and here and here.....and here.

Just enjoy your new Mac and let your mind be at ease.

I just got round to checking out those links. Very very helpful. Thanks

 

[gnasher729]

That's very interesting. When you explain it like that, it makes me somewhat less suspicious about entering passwords for free apps.

While the installer cannot catch your password, it can do anything that the administrator can do, like erasing your hard drive, installing trojans, anything. On the other hand, an application that didn't need your password can still do anything a normal user can do, like erasing all the data of that user.

So whether or not a password is required, you either trust the source of the software or you don't.