Install apps on a Mac it’s generally considered more secure than doing it on Windows and open source software is often benign, but there are exceptions to both of these assumptions that can do untold damage to your privacy and security.
A recent discovery of Trend Micro provides a striking example of this risk. An open source app designed to help Mac owners with iPhone and iPad app signing has been modified to include a nasty hack that steals data from your Apple Keychain. The original app is called ResignTool and it is available for free on the popular open source site, GitHub. The app is six years old and both the code and the ready-to-run app can be downloaded from GitHub. That’s not the problem.
The problem arises from how easy it is to access the code, make changes, and load it elsewhere as if it were the same application. The hacker has to do very little work to deliver his malware under the guise of a genuinely well-intentioned application.
If you make the mistake of downloading the malware version of an open source app, you may be handing over the keys to your Apple kingdom, as your Mac automatically syncs the passwords you’ve stored on your iPhone and iPad to Keychain. Every app and website login could be stolen, including passwords for financial apps and banking websites.
There are common sense solutions to alleviate these concerns. Critical apps and websites must have two-factor authentication enabled. If possible, get apps from the Mac App Store that have been tested to be safe. If you download from a website, make sure you know and trust the source. You may also want to find out if your Mac could benefit from antivirus protection.