Downloading software shouldn’t be difficult or dangerous, but sadly, these days it can be both. So I wanted to write up a short guide on how to download software safely.
The Good: Operating System & App Store Software
Apple, Microsoft and Google have made it easy and safe to update your operating system. That’s a welcome and necessary advancement in computer technology. You should set your OS to update automatically, at least for security updates. See these guides for help in setting that up (or making sure you have it set up correctly):
Similarly, these companies have created official app stores for many popular software applications. If you buy your app through the official app store, you can be sure that it’s been vetted and is relatively safe. It’s not foolproof, but it’s about as good as you’re going to get. Here’s how to properly update app store software:
One quick side note. There’s a lot of talk in the tech news these days about breaking up these app store “monopolies” (or monopsonies). I do agree that when you buy a computer or any device, you have the right to install anything you want on it. However, for security reasons, I would strongly recommend you avoid doing this whenever possible. Again, they’re not perfect, but these app stores do provide a solid degree of protection. And when something bad does slip through, they have mechanisms to automatically update buggy apps and even disable/remove bad apps.
The Bad: Non-App Store Software & Drivers
There are still many software apps that either don’t participate in the app store model or have options for downloading their apps outside the app store system. This is where things can get real dicey, real fast. Software apps and “drivers” downloaded from even long-established third party sites are very often laced with adware, secondary apps you didn’t ask for (often euphemistically referred to as PUPs… potentially unwanted programs), and even straight-up malware.
So the short answer here is: don’t do it. Always go to the original manufacturer’s website to download software and drivers. Sometimes smaller firms will farm this function out to a third party – in which case, their official website should at least point you to a reputable download source.
Note that you need to be very careful when using Google to search for the official download site for a given piece of software. The top search results are often “sponsored” links, which just means someone paid money to be first. I think you can see why bad guys would be willing to pay for that privilege. Also, be very careful to avoid apps with similar-sounding names (or similar app icons, when searching in an app store).
Thankfully, many apps today have built-in mechanisms for updating their software once it’s installed. PC manufacturers also usually have built-in utilities for updating device drivers, as well. Use those when you can.
The Ugly: Internet of Things Software Updates
Today, everything is connected to the internet. We call this the Internet of Things. Product manufacturers see this as a way to charge you a lot more money to replace your perfectly good “dumb” devices for their swanky new “smart” version. But this means that the device has a computer chip in it. And that chip is running software. And that software – all software – has bugs. So now you need to be checking for and installing software updates on your TVs, thermostats, light bulbs, and kitchen appliances.
This has several problems, the first of which is that most people don’t even realize the above fact. Second, these devices generally don’t update themselves automatically (though they definitely should). Third, security is usually poor or entirely missing on these products. As we like to say: the “S” in “IoT” is for security.
But the real problem is that it’s usually very difficult and sometimes functionally impossible to update the software on these devices manually. Any one of these internet-connected devices could be compromised, either remotely or by some other rogue device in your home network.
Managing Your IoT Device Software
Given the sorry state of affairs in today’s smart devices, here are some tips for mitigating the risks.
- Before you buy any device that connects to the internet, make sure that it has a mechanism for updating its built-in software. If it doesn’t, don’t buy it. (If the device can do what you need it to without connecting to the internet, then just never connect it. I do this for all my smart TVs.)
- If you already own a device that connects to the network but cannot be updated – either because it’s not possible or because it’s no longer supported – you should get rid of it. Seriously, it’s a ticking time bomb.
- Enable your Wi-Fi router’s guest network and put as many of your “smart” devices on that network as you can. (Some require being on the same network as your smartphone or computer.)
- Your Wi-Fi router is the single most important IoT device to keep up to date. It’s the “bouncer” for your entire home network, keeping bad guys out and monitoring all your connected devices. If that box is hijacked, you’re in deep trouble. If it has an auto-update feature, turn it on; otherwise, set a monthly reminder to check it and update as required.
- Register your IoT devices using an email account you’ll check regularly. Yes, you’ll get spam, but you should also get emails when bugs are found along with instructions for how to update your software.
[Shameless plug: my book has instructions for these things, and several other related tips.]
How to Verify Downloaded Software
If you want to go the extra mile and be sure sure you downloaded the right software and that it’s safe to install, there are two more things you can do.
To verify that you downloaded the exact, unaltered software, you need to check the file’s hash (also called a checksum). A hash is a cryptographic function that produces an exact “fingerprint” of the software. If so much as a single digital bit is off, the hashes won’t match. To check the fingerprint, you first need to know the type of hash (e.g., “MD5” or “SHA”) and the expected (official) hash value. Hashes are really long hexidecimal numbers, like this:
The download site should give you this info, though sometimes you have to dig around the website to find it. To verify the hash value of what you actually downloaded, you’ll need to run a tool on the file you downloaded that will spit out the checksum value. I won’t go through the step-by-step here because there are several good online guides. Here are a couple for Windows and Mac:
The other thing you can do is check the file for viruses. (And you can do this for any file you download or receive via email, not just software you download.) I generally don’t install antivirus software, but sometimes I do run on-demand checks for files I download using the free version of Malwarebytes or I upload the file to VirusTotal.
Need practical security tips?
Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.
Don't get caught with your drawbridge down!