During a lunch discussion of graduate students and professors, some of us Mac users were talking about our favorite widgets. A professor, who is a PC user, but with nothing against Mac, warned that free, fun apps are often spyware. I told him this wasn't a problem on macs, but he wasn't convinced. I've never heard of any mac users having spyware problems, and nothing comes up in a forum search (except boasts), but what other reasons are there that this could not be?
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Could Widgets Be Spyware?
- Thread starter spellflower
- Start date
- Sort by reaction score
I don't know, but I am pretty apprehensive about things such as the gmail widget - which is written by a 3rd party, not gmail itself. I'm not saying that whoever wrote it shouldn't be trusted, i'm just saying it's something to think about when you use a piece of software written by a 3rd party that's not related to the service you are trying to access. Does anyone know if the code is open source?
Well ask the professor how it is spyware? if he just says that most free products are, then show him the huge slew of thousands of free apps for OS X
Depends on what you mean by spyware.... In the traditional Windows sense, I think, the answer is no for two reasons:
1) Windows spyware are applications that run on the host computer (yours) that are installed and activated without your permission, typically through ActiveX mechanisms. Although it was not true in the original Tiger, at present, none of the major Tiger browsers, including Safari, will allow a downloaded widget to install itself and activate without your permission.
2) I don't think there's a feature per se that allows a widget to run "invisibly"
On the other hand, Widgets communicate with websites, and can also extract information from your computer (calendar or address book entries, mail status, etc, etc) and some of them also communicate with websites and provide them information through mechanisms like Post / maintain cookies with them.
So for instance, as far as I can tell, there's nothing that prevents someone from creating a widget that would do something like retrieve your calendar or address book and post the information via HTTP to a retrieving server somewhere on the public internet. And this uses outgoing port 80, and so your firewall would not protect you from this.
But you would have to willingly install the widget.
What do people think about that? It seems accurate; if you combine what, say, the Address Book widget can do, with what the Translator widget can do, you have everything you need to accomplish this, don't you? There's no obvious mechanism of which I'm aware which prevents a miscreant widget plus a private website to receive the data from doing this.
1) Windows spyware are applications that run on the host computer (yours) that are installed and activated without your permission, typically through ActiveX mechanisms. Although it was not true in the original Tiger, at present, none of the major Tiger browsers, including Safari, will allow a downloaded widget to install itself and activate without your permission.
2) I don't think there's a feature per se that allows a widget to run "invisibly"
On the other hand, Widgets communicate with websites, and can also extract information from your computer (calendar or address book entries, mail status, etc, etc) and some of them also communicate with websites and provide them information through mechanisms like Post / maintain cookies with them.
So for instance, as far as I can tell, there's nothing that prevents someone from creating a widget that would do something like retrieve your calendar or address book and post the information via HTTP to a retrieving server somewhere on the public internet. And this uses outgoing port 80, and so your firewall would not protect you from this.
But you would have to willingly install the widget.
What do people think about that? It seems accurate; if you combine what, say, the Address Book widget can do, with what the Translator widget can do, you have everything you need to accomplish this, don't you?
There's no obvious mechanism of which I'm aware which prevents a miscreant widget plus a private website to receive the data from doing this.
The prof is absolutely correct. Once you decide to install any program, you are at the mercy of the program's author and have to rely on faith that the software was written with honorable intentions.
Real life borderline examples of spyware on the Mac include the activation systems in Adobe CS2 and Stuffit Deluxe 10, and the Google Toolbar for Firefox. That's not to say that these programs are doing anything particularly evil, but the only difference between what these programs do and what is usually called spyware is that you probably don't mind that this software is phoning home. iTunes likes to phone home too.
Real life borderline examples of spyware on the Mac include the activation systems in Adobe CS2 and Stuffit Deluxe 10, and the Google Toolbar for Firefox. That's not to say that these programs are doing anything particularly evil, but the only difference between what these programs do and what is usually called spyware is that you probably don't mind that this software is phoning home. iTunes likes to phone home too.
I am shocked and dismayed. Here I thought we were all completely immune to such indignities, and now I come to find out that we are subject to the same potential violations as the common pc user! Scandalous! At least it doesn't crash our machines.
Is there anyway to tell how honorable a particular widget is? Does apple screen the widgets available on its site at all? Are there some developers who might pledge not to try anything funny? Also, are we at any more risk of being spied upon by using widgets than merely surfing the web?
Is there anyway to tell how honorable a particular widget is? Does apple screen the widgets available on its site at all? Are there some developers who might pledge not to try anything funny? Also, are we at any more risk of being spied upon by using widgets than merely surfing the web?
spellflower said:
The standards should be pretty much the same for any program running on your computer... since they have as much or more access to information and to the web.
I guess I'm highlighting a potential mechanism for malice... I have never seen evidence of an actual malware widget.
As for your last question, YES. Websites do not have access to information on your hard drive unless you pick a file and upload it. They can't just go hunting for stuff, even if they know where it is, like a widget can. Although a widget has an HTML external wrapper, there is also a resident executable inside most of them -- that application has user level access to files. Not root level, but enough to skim sensitive information.
I think one thing that exists in some PC firewalls like Zonealarm, that would help, is the sort of reverse-firewall, where it tells you what outgoing activity is conducted by any new app and asks if it's okay. If you installed a new widget, then such a protector would ask you if that program accessing that website is okay.
Either that, or a mechanism that forces widgets specifically to divulge their network activity.
The good thing about widgets is that you can easily view the coding behind it. It's all there in your Library (just option-click and choose "show package contents")
You will have to understand javascript/html/and maybe some more advanced scripting languages like php. Javascript will get you far enough to find something out of the ordinary i'd say.
You will have to understand javascript/html/and maybe some more advanced scripting languages like php. Javascript will get you far enough to find something out of the ordinary i'd say.
redeye be said:
There are also compiled binaries in some widgets. For instance, look at:
/Library/Widgets/Address Book.wdgt/AddressBook.widgetplugin/Contents/MacOS/AddressBook
That is the binary portion of the Address Book widget. I don't think you can read what it does in a straightforward way, although I'm sure you could de-compile it.
And that's the part that does things like grab the Address Book's contents through system resource routes.
You could try asking around (perhaps here on MR) if you have doubts about any particular item. Widgets are simply packaged differently, use the same discretion you would before installing any program.spellflower said:
It would be consistent with usual Apple policies for them to remove a listing that they know is bogus, but I wouldn't necessarily take that to mean that they spend a great deal of effort screening in advance. They disclaim responsibility in the fine print at the bottom of http://www.apple.com/downloads/dashboard/
Apple said:
Ha! Just about every software package includes a mile of text disavowing responsibility for anything that may go wrongspellflower said:
They kind of have to at least attempt that in a world obsessed with litigation. Word of mouth and reputations are your best protection here.Generally yes. That said, certain plugins like Flash actually support spying of the old fashioned type! You'll find in the settings when you control-click on some flash things that there is an option to disable your camera and mic, if you have them. (Don't worry too much about this, I think they're disabled by default but it's kind of amusing.)