Is running an app directly after opening .dmg file without installation safer than installing it?
https://apple.stackexchange.com/questions/417664
-
01-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
For macos apps downloaded from the Internet, I am kinda paranoid and don't trust most of apps for security reasons, especially I am living in a country which does censorship too much.
I think there are three ways to run an app.
- Open the .dmg file (basically mount it), double click the app to launch it directly.
- Drag it to somewhere else (user space folder) other than the default Applications folder which requires root permission.
- Drag it to the default Applications to install it.
I am wondering if I choose Option 1, can I say it's much safer way than the Option 3?
The above words are my question. The following words are just some optional questions. You can ignore all the following words.
If I choose Option 1, will it cause any issues when running such app? So far, I don't see any issues by using this way.
I am wondering if there are any better options here to run the app in a sandbox? (virtual machine is not an option here because I care about performance too. I don't want to pay extra cpu/ram resources to affect the performance)
Btw, I knew the best way to avoid such problem is to NOT run any apps I don't trust. But this is life, and I have to run the apps which I don't trust, otherwise I can not work and live in my society.
Solution
- Open the .dmg file (basically mount it), double click the app to launch it directly.
- Drag it to somewhere else (user space folder) other than the default Applications folder which requires root permission.
- Drag it to the default Applications to install it.
I am wondering if I choose Option 1, can I say it's much safer way than the Option 3?
None of these methods provide additional protection. If the application intends to do harm, nothing in the options above will stop the harm being done.
If you do not trust an application, the source, or the developers, do not run the application.
If you must run an untrusted application, consider a constrained runtime environment such as a virtual machine. You mention performance rules out the use of a virtual machine; this is a security trade off.
If a virtual machine is not possible, create a separate non-administrator user account and only run the application using that account. This will provide some additional protection but your machine is still at risk.
