Setapp & Security / Dev Trustworthiness

Question re: Setapp and developer verification / app checking…

Apple purportedly does some manner of QA on apps that come through the Mac App Store. Presumably they’re checking to make sure that your weather app isn’t bundling up your contact data and shipping it off to a random Chinese government agency, for example.

Does Setapp do anything similar? Or is there a process that they use to vet the apps that show up on their platform?

They have at least one SSH client, at least one password manager, etc. - and obviously those are the sorts of apps that one is trusting with relatively sensitive data. Just curious as to what verification has been done (if any) of the developers / software / etc. :slight_smile:

Anybody know?

The SetApp apps are some of the best of the available Mac apps, and users are dependent on trusting the developers, just as users would if they purchased the apps from the devs’ websites.

The protections you ascribe to the Mac App Store are largely the result of sandboxing, although there is a basic malware scan.

As this recent blog post notes,

"Notarization is explained in detail here by the horse’s mouth:
it’s about meeting certain technical requirements, and the finished
product passing Apple’s automated tests for malware. Apple doesn’t
see any source code, nor does it check that the software isn’t
thoroughly pushy and annoying, or totally dysfunctional. I’m a
great fan of notarization, but you must appreciate its limitations:
it isn’t intended to assure that a product can’t be a PUP."

PUPs are “Potentially Unwanted Programs.”

On iOS Apple has in the past caught or been alerted to apps which load malware/spyware code after users download and run the app, and then deleted the app afterwards.

I know most of the SetApp apps, and I own a sizable minority of them already, which is the only reason I’m not a subscriber. But I’d personally be comfortable using the apps (though I’m always protected by running a few anti-malware apps in the background at all times).

You don’t hear that a lot from Apple users… (especially more than one)

Which ones?

(if that’s not too off-topic here)

I use several free apps from Objective-See, a tiny security shop owned by former NSA programmer Patrick Wardle, whose current day job is at Jamf. (Because the free apps are so useful to me, and updated regularly, I contribute to Wardle’s Patreon page.)

OverSight sits in the background and gives me pop-ups to confirm when an app takes control of my mic or camera (you can accept, deny or permanently whitelist)

Once a month or so I run KnockKnock, which looks at and shows all 3rd party plugins (and update agents, scripts, and browser extensions), broken down by category, and examines them to see if any contain VirusTotal-specific information about the file, and flags bad or unknown items. I also use BlockBlock, which is basically a real-time KnockKnock - it sits in the background and asks you to confirm when such persistent objects try to install themselves (which is not uncommon during app installs).

And every couple of weeks I also manually run the free version of MalwareBytes. (You get the full version for an x-day free trial, which does real-time monitoring and protects against your drive getting encrypted for ransomware - then it reverts to the manual-only free version after the trial expires.)

4 Likes