Site icon The Mac Security Blog

How to Determine if Software and Updates Are the Real Deal

In a recent story, I covered How to Tell if your Office for Mac Update is Valid, which covers the ways you can safely update your Office suite on a Mac. Of course, Office is not the only popular software out there, but covering each popular software suite or application is also not feasible. So generally speaking, how can you be sure software updates are safe? Follow our guide below, and we’ll show you how to check if your software and updates are the real thing.

Where to get your software

Whether it’s Adobe CC, Office, Skype, a game or any other kind of software, we always recommend to get it directly from the developer or a trustworthy source. Flash Player is a perfect example of a potentially high risk update, due to the vast number of problematic Adobe Flash update notices, many of which are fake.

For instance, an online search for “Download Adobe CC” will likely get you plenty of results, most of which are not the kind you’re looking for. Instead, go directly to adobe.com.

For Skype, it’s always best to go directly to skype.com. This is also the case with Office for Mac updates, don’t do a Web search, instead simply go to microsoft.com where you’ll also be able to find legitimate Office downloads. And for games, your best bet is to download from Steam or the App Store.

The Mac App Store is a good starting point for any kind of software you’re looking for. If the App Store doesn’t have it, the developer site of that software should be the next stop.

There are also websites that sell bundles of software in which, for example, you may be offered $400 worth of apps for only $12. Some are legit, some are not. If you’re not sure if that particular bundle or website is trustworthy, an easy peasy solution is to contact the developer and ask. “Hi [developer], is the $5 software bundle that includes your product on this website real?” They will let you know.

If the software you’re looking for is a paid product, but you stumble upon a website that offers it for free, proceed with extreme caution. You’ve either landed on a BitTorrent website, scam site or maybe you really did find a great deal. Again, when in doubt, contact the developer. They keep track of everyone they partner up with to offer discounts and deals, so they will be able to tell you if it’s a real deal or not.

Finally, websites that offer downloads and links for just about anything, such as softonic.com, download.com, macupdate.com, and others, are best avoided as they have all been caught in unethical behavior of some kind in the past.

Before you install the software

The first thing you should do before installing software is to check who signed the app. Using a utility such as WhatsYourSign, created by Patrick Wardle, can quickly show you who signed the application that you just downloaded. This works on any application, but is particularly useful for software that does not come with an installer. Skype, for example, is just an app you drag and drop into your applications folder. Another good example is Transmission, a BitTorrent client that recently made headlines, twice, due to malware.

Here is the WhatsYourSign information of the official Transmission application:


And here is the WhatsYourSign information of the malicious Transmission application:


A quick search online shows that “Digital Ignition LLC” is indeed the name we should be seeing here. The name is not always an obvious one, so you may have to do a search or contact the developer to make sure what you’re seeing is accurate. Other times it’s easy to see if you have the right one, for example, Skype is signed by “Skype Communications S.a.r.l.”

Keep an eye on any File Quarantine warnings

Software that was downloaded through your browser receives a quarantine flag from the Mac operating system. This causes the “Are you sure you want to open this” dialogs to pop-up when the software is opened for the first time.


If this warning shows the application was downloaded on a date and time that do not match, through a browser you don’t use, or from a website you don’t know, something shady is going on and it’s probably best to trash the application and re-download it from the official source.

Check the installer

While this method of software delivery seems to be increasingly rare, installers can be checked for validity as well. As an example, I’ll use Intego’s very own Mac Premium Bundle X9 installer. After downloaded and when the installer is opened — and this goes for all installers that use macOS’s built-in Installer application — you can see a small padlock icon at the top right of the window.


When you click that padlock icon, the certificate information will pop up, which can help you verify if the installer is the real deal or if it may have been tampered with.

You got your software, made sure it was up to snuff, installed it and are, hopefully, enjoying using it. This is not the end of the cycle for your software though! At some point, it will most likely receive updates that contain stability improvements and bug fixes.

Where to get your software updates

Downloading a software update is almost like downloading the software for the first time. You’re getting it off the Internet and must verify you actually got what you asked for. As with the first time you went looking for the software, get your updates from the developer website or trustworthy source.

Many apps (including Skype) now notify you when something new is available.

Luckily, more and more applications now include a built-in or separate updater that takes care of everything for you. They check for updates at the right source, notify you when something new is available, and download and install it for you.

The App Store will also handle updates for you in the same way. It checks with Apple if updates are available, notifies you if they are and, depending on your preferences, may even install them for you automatically. With the App Store and built-in updaters provided by the developer, there is no need to double-check or verify anything as the process is generally secure. If you download updates from the developer website, either because their software does not include an updater or you only want to download the updates once and distribute them to multiple machines on the network, some verification is recommended.

Additionally, some websites will provide hashes with their downloads. This is a way for you to verify if the file you downloaded is in fact the file they intended to serve you. For more information on how to verify the hashes if these are provided, instructions can be found at the end of this article. All of the other above mentioned ways to verify software should work on updaters as well.

Have something to say about this story? Share your comments below! 

Share this: