Installing apps on a Mac is generally considered to be safer than doing so on Windows and open-source software is usually benign but there are exceptions to both of these assumptions that can do untold damage to your privacy and security.
A recent discovery by Trend Micro provides a startling example of this risk. An open-source app designed to help Mac owners with iPhone and iPad app signing has been altered to include a nasty hack that steals your Apple Keychain data. The original app is called ResignTool and it’s available for free on the popular open-source site, GitHub. The app is six years old and both the code and the ready-to-run app can be downloaded from GitHub. That isn’t the problem.
The issue arises from how easy it is to access the code, make changes and upload elsewhere as if it’s the same app. Very little work has to be done by the hacker to deliver their malware under the guise of a genuinely good-intentioned app.
If you make the mistake of downloading the malware version of an open-source app, you might be handing over the keys to your Apple kingdom since your Mac automatically syncs passwords you’ve stored on your iPhone and iPad in the Keychain. Every app and every website login could be stolen, including passwords to financial apps and banking websites.
There are common-sense solutions to ease these concerns. Critically important apps and websites should have two-factor authentication enabled. If possible, get apps from the Mac App Store that have been tested to be safe. If you download from a website, make sure you know and trust the source. You also might want to find out if your Mac could benefit from antivirus protection.
