Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

Every Application Adds Risk

In a previous article, I discussed the fundamental nature of our computer’s operating system: its absolute power to see, and potentially expose, anything we do. We frequently assume, often without actually thinking about it, that the OS is trustworthy.

That may or may not be true.

When it comes to the operating system, our options are limited. There’s really no choice: in order to use our device, we must use an operating system of some sort.

When it comes to the applications we install on our computers, we have both more choice and more risk.

Become a Patron of Ask Leo! and go ad-free!

Every application adds direct risk

Every application you download and install on your computer – be it your desktop, laptop, tablet, or phone – is an opportunity for your security and privacy to be compromised.

We regularly give applications much broader permissions to operate on our information than they need. In Windows, most programs can read any file, whether they need to or not. For example, that desktop chess game you just downloaded has complete access to the financial spreadsheets stored elsewhere on your computer.

On the other end of the spectrum, some operating systems allow us to control permissions at a per-application level. For example, when installing an app on an Android-based device, you’ll often be presented with a list of things to which the new application requires access.

App needs access to....

If we want the application at all, we must grant it all the permissions it requests. And that’s exactly what most people, including myself, do: zip through the list of permissions requested as if it was a license agreement, and accept it all, without reading or considering.

Any application we install could be malicious. It could be explicitly malicious – meaning malware – or it could be less obviously malicious, sharing more information with third parties than we realize, violating our assumptions of privacy.

As we’ll see in a moment, as long as we take appropriate care, we can be relatively safe – but the possibility exists.

Every application adds indirect risk

Even the best-intentioned application includes risk, even if indirectly.

The program could have bugs. It could have errors or omissions that, in turn, could be leveraged by other, malicious software. It could “leak” our information unintentionally in ways third parties can intercept and collect.

Again, none of these risks are included purposefully, but rather as a side effect of oversight, poor design, poor coding or other unintentional accidents.

A great example might be Adobe Flash. It’s not malicious. It’s not intentionally allowing malware on our computers, or intentionally exposing our information to others. But it has so many bugs, errors, and vulnerabilities that its mere presence on your machine – particularly if not updated regularly – increases the risk of other software leveraging those issues to do harm.

All software has bugs. Thus, all software comes with some risk that those bugs, once discovered, could be used by others for unintended actions.

Once again, it all comes back to trust

Privacy?You and I can’t be expected to understand all the details and nuances of software design and marketing. It’s too complex and ever-changing.

Instead, we rely on third parties. Or, more correctly, we rely on our trust of third parties to either do or provide the right thing, or act as a resource to let us know when the right thing isn’t happening.

This is why I so strongly warn against using download sites. The third parties involved – the download sites themselves – have a poor track record of providing software that can be trusted. Instead, I recommend you take the effort to locate the original vendor of whatever software you’re looking for and download directly from the source.

Assuming, of course, you trust them.

I discuss ways of developing and evaluating trust in What Does It Mean for a Source to be “Reputable”? The advice there applies equally here. When it comes to the software you install on your machine – any software – you must weigh the benefits against the risks, and take care to make sure you trust the source.

Rule of thumb: don’t install what you don’t need

The most secure software of all is the software that isn’t on your machine. If it’s not there, it can’t harm you.

I’m sure you know someone who constantly downloads and installs software on their machine. Be it a bevy of anti-malware tools, to the latest games, to who-knows-what, their machine eventually becomes unstable – or worse, their online accounts get hacked as a result of malware that accompanied all those downloads…

…all for things they probably didn’t really need.

Don’t be that person. Smile

Think carefully before installing any software on your computer or other device. Even the most trustworthy and reputable software comes with side effects of some sort, and in the worst case, as we’ve seen, there’s a risk of more malicious intent as well.

Make sure you need it. Make sure you trust the author. Make sure you get it from a source you trust.

And when in doubt, don’t install it. You’re safer that way.

Is anything safe?

All this sounds pretty daunting and perhaps even a little overwhelming. You might be wondering if anything’s ever safe.

The good news is that, for the most part, the software you need, from reputable sources, is generally not malicious, and generally well behaved. There are bad actors out there, of course, but keeping these basic rules of thumb in mind will generally allow you to be safe.

  • Only install what you need.
  • Install only reputable software from well-known sources.
  • Download only from the vendor’s own download site or instructions.

If you’re at all concerned about security and privacy – and you should be – it’s important to be aware and keep these rules in mind.

You’ll have a much safer and more confident experience.

Podcast audio

Play

9 comments on “Every Application Adds Risk”

  1. I rely on people I trust like yourself, Bob Rankin, and a few others to recommend software that might be of use to me. I very rarely just search for software on the internet, precisely because of the potential problems that you identify. And I also accept that very occasionally even you might recommend something problematic – but that hasn’t happened yet, probably because of the care that you take before recommending anything!!

    Leo – keep up the good work, and thanks.

  2. When a programmer updates because of a bug, he rewrites a small part of the program, often inducing other problems.

    • Commenting has been terminated on the older format articles which are on ask-leo.com. That is due to the way comments are being handled through Word Press which doesn’t support comments from the older articles. Gradually, relevant articles are being converted to the new format and comments are being reopened for those articles.

  3. The enjoyment I get from having a PC, is downloading and trying out all sorts of new (to me) programs. I always have up-to-date backups. I think Leo may have mentioned backups a couple times. 😉
    Sometimes, at the senior center, someone will ask me questions I can’t answer right away, so I make notes, go home and try the program they had questions about, and come back with answers. I keep two Windows machines, because most of the people in class use Windows.
    My point is, being careful is great, but being afraid to install anything detracts from your ability to use your PC and the internet.
    I know that’s not what Leo is saying, but I also know that that is how some of the people in class will take it. …And, of course, most people in class read AskLeo regularly. 🙂

Leave a reply:

Before commenting please:

  • Read the article. Comments indicating you've not read the article will be removed.
  • Comment on the article. New question? Start with search, at the top of the page. Off-topic comments will be removed.
  • No personal information. Email addresses, phone numbers and such will be removed.
  • Add to the discussion. Comments that do not — typically off-topic or content-free comments — will be removed.

All comments containing links will be moderated before publication. Anything that looks the least bit like spam will be removed.

I want comments to be valuable for everyone, including those who come later and take the time to read.