Should I Download this Application or Update?

Sometimes you might get something prompting you, on your desktop or laptop computer, to download or update an application.  The question is, should you, and (here’s a clue) why not?

The general rule is: don’t accept an offer to do something you weren’t otherwise trying to do.

There, just carry that rule around and you will be safe from this category of attacks.

But for those who want a bit more detail, here are some of the layers below that general maxim:

1. Don’t download any application that you didn’t go looking for

   • If something pops up anywhere offering you something new to download – don’t do it.
   • That is all.

2. Try to only download from the official channels

   • If you are actively looking for an application you want to download, stick to the main official application download channels like the following, which offer at least a bit of protection against malicious apps and updates:
     • Wndows/Microsoft Store
     • Apple App Store
     • Google Play
   • This is of course an example of you trying to do something (ie download an app) so it is consistent with our general maxim.

3. What about updates?

   • In general, updates to applications you already have installed on your system are not really in this risk category.
     • Yes, updates can have security problems with them, and some updates can even be malicious.  But generally if you already have a particular application or component on your system, updates should be considered positive for security, not risky to security.
   • But don’t download any application updates that aren’t offered through the official update channel.
   • There are some examples like the Oracle Java runtime (JRE) and Adobe Flash which pop up and offer to update themselves.
     • Flash is being deprecated this year (2020) and you really should not be using Flash any more if you can possibly avoid it (it is a security nightmare).
     • Java pop-ups normally contain a link which you can transcribe into your browser in order to actively seek out the update from the official Oracle download channel.
     • We do recommend against clicking the OK/download buttons on pop-ups like this.
     • Go find the update download yourself, eg via a Google search, looking for the official download site, if you are otherwise not sure where to find it.