What are the best Mac exclusive apps

Safer Internet Day: The 10 Best Security Tips for Mac

Peter Müller, Keir Thomas

The Mac is safe - but only as much as the security risk in front of the screen allows. This is the best way to protect yourself against hackers, malware, scammers and eavesdroppers.

Safer Internet Day is always on the second day of the second week of the second month. So this year on Tuesday, February 9th. On the occasion of tomorrow's action day, here are our best tips for safe surfing with the Mac.

The year 2021 got off to a good start in terms of internet security: The Flash player was finally history on January 1st, even the manufacturer Adobe has recognized this and advises all users against installing the software. This means that one of the most common threats to the security of the Mac is as good as eliminated: Most malware installs itself only with the help of the user, for example by falling for a supposed flash installer, which of course asks for the account password, but completely other things installed that can cause great damage.

Often the biggest problem is in front of the screen, but people are fallible - otherwise they would not fall for telephone fraud. Apple tries to minimize the risk as much as possible. For the iPhone and iPad, software is only available from the secure source of the App Store, and it is becoming increasingly difficult to install programs of unsafe origins on the Mac, too. The Mac App Store is not an exclusive source for software, but developers should at least be certified by Apple and thus classified as trustworthy before downloading and installing their apps. You should only bypass protective measures such as gatekeepers and notarization at your own risk.

Apple's systems are ultimately not free from gaps, but the manufacturer regularly delivers updates for iOS, iPadOS and macOS patches that close known problems. Hackers rarely win the race and can shoot through a new gap in the defensive ring before the update released by Apple jumps into the breach.

So everything is fine? Yes and no - because the Mac is not as plagued by malware as Windows systems, which may also be due to the lower prevalence of macOS. But there is nowhere absolute security and a chain is only as strong as its weakest link.

In the following, we give eleven tips that you should follow in order to be as safe as possible with your Mac.

1. Switch on the firewall

The first and most important measure for more security should be to activate the firewall built into the Mac operating system - especially if you have a Macbook. It is particularly useful in third-party WLAN networks, so to be on the safe side you shouldn't have to switch it on when you are out and about. The firewall prevents unwanted incoming network connections, but only if it is switched on. This is usually not the case on the Mac - for whatever reason. The firewall is up and running quickly, open the system settings and click on the "Security" module and then on the "Firewall" tab. You still need a click on the lock symbol at the bottom left, followed by a password. In the options, you now have the option of defining the behavior of individual apps and, above all, of activating the stealth mode. This makes your Macbook practically invisible in public networks such as in a café.

EnlargeOnly the most necessary sharing settings should be active.

For even more security, you also have to block outgoing network traffic, which is useful if you are afraid that you have already caught malware. This can then no longer "phone home" and transmit confidential data to the attacker. Unfortunately, the Mac does not provide any on-board tools for this - numerous included programs have to communicate with Apple's servers in order to function optimally. But software from third-party manufacturers such as Little Snitch or Hands Off takes care of the exit control - and allows legitimate software to communicate with the outside world.

2. Look closely at the releases

Let's take care of a second system setting, the shares. In an office or home office environment in particular, you want Macs to exchange data with each other or to provide each other with services. This is all regulated by the releases in the system setting of the same name. If you create a share - this can go as far as access to your own screen - it is like installing a window or a door in the Mac. It is true that you first have to push the curtains aside, open the door or hand over a key so that authorized persons can actually use it. But a door is just a door that you should always keep closed when you don't need it. Perhaps it is half open because the lock is not secure, or the tilted window can be easily levered out. To put it simply: turn off any shares that you don't need.

EnlargeOnly the most necessary sharing settings should be active.

To do this, open the "Approvals" system setting and, if in doubt, remove all ticks. But be careful, you or your system administrator may have made some settings in the company network on purpose - in this case you should think twice or ask. The shares enable the following:

Screen sharing: Administrators will use this to remotely diagnose and repair any problems or to install updates. This can also be done from Linux or Windows computers via VPN. Before the admin gets access to your machine, however, he must first obtain approval, which you confirm or reject with a click. No administrator, no company network or out and about somewhere? Turn off screen sharing!

File sharing: It can be used by other computers to access your Mac's files. Specifically, file sharing enables the SMB, AFP and NFS protocols. Neither you nor others need access to the computer from the local network or via the iCloud: Switch off!

Share media: If you want to use your Mac as a central storage for music, films, photos and more and possibly also make your median available to third parties, this release is suitable. In times of Apple Music and Apple TV +, this function is rarely used - so switch it off.

Printer sharing: In a local network with several Macs, one printer is completely sufficient. Then and only then must printer sharing be activated on the Mac on which the printer is attached. A simple USB printer becomes a network printer and everyone can print over it as long as the computer is running. On all other Macs, you can safely leave printer sharing switched off. You can of course connect your USB printer to a router like the Time Capsule, but that's a different matter.

Remote login: This is more for techies who log into their Mac remotely via SSH / SFTP in order to do work there via the command line. If the description does not apply to you: Switch off.

Remote administration: Only activate it if an administrator needs access for maintenance work in your company network, otherwise always leave it switched off.

Removed Apple Events: By no means are Apple's events in San Francisco, which is so far away from us, but a relic from the old days. The Apple events and Apple Script can be used to get other computers to do certain things. This is not limited to sensible jobs like printing, you can also make the computer chatter remotely with the help of speech synthesis. If you suspect experienced pranksters in your area and don't want to be scared to death: switch off.

Internet sharing: Another relic from the times of dial-up connections, in which one computer was connected to the Internet and the others could use the connection (via Ethernet or another cable connection). In times of WLANs that are available everywhere, they are rarely used, so you can switch off without hesitation.

Bluetooth sharing: If you want to use an Android smartphone with the Mac, you only need the iPhone and iPad not to transfer any data to the Mac via Bluetooth.

Content caching: This release is new since macOS High Sierra and is therefore still relatively unknown. All the better, it is easier to switch off, or to switch it on not at first. However, the setting is useful for installing updates on multiple devices. For example, a Mac on which this share is activated has system updates available for other Macs or iOS devices. You only have to download the update (or other content) from Apple's servers once and you can distribute this to other machines in your own network - this is then faster and saves bandwidth. Optionally, you can also share the Internet connection with iOS devices connected via USB - useful, for example, if the Mac is connected to a LAN but no wireless LAN is available. If you don't need all of this: switch off or not switch on at all.

For old Macs with a DVD drive or Superdrive, you will also see the DVD Sharing option. If this option is active, you can insert a DVD into a computer with a DVD drive and use it from a Mac without a DVD drive. Apple removed the last Macbook pro with a DVD drive in 2017.

3. Set firmware password

If the Mac is protected by a password or, even better, by Filevault encryption, third parties have no access to the data - provided the code is strong enough. Nevertheless, they can cause harm. Because the Mac can be booted from an external UBS stick - and all data can be deleted, for example by reinstalling macOS. This prevents the firmware password, which is only required to be entered if the Mac is to be started in this rather unusual way from a USB stick or the rescue partition. And you have to set the firmware password for the rescue partition, which has been part of a Mac installation since OS X 10.7 Lion. Start the Mac and hold down the cmd and R keys until the progress bar appears below the Apple logo. Find the tool of choice under the Utilities> Firmware Password Utility menu. But be careful: if you forget your firmware password, only Apple will be able to unlock the computer.

EnlargeA firmware password prevents the Mac from being started from an external medium.

4. Activate guest user

Up to this point, we have generally advised that functions should be turned off. It is the other way around for the guest user, which you should definitely activate. This is obvious for your computer at home: You may want to have a visitor do some research on the Internet or have his correspondence done via a webmailer: Offer him the guest user, he will then not be able to see your data, either intentionally or unintentionally. But the guest user is also worth gold for your Macbook when traveling. Because if you leave your mobile computer somewhere and an honest finder logs in via the guest user and goes to the Internet with Safari, the iCloud service reports "Where is?" where your computer is located and displays a message that you have specified on the screen. Without guest users, it will be difficult to get back a lost Mac.

EnlargeThe guest user helps track down lost Macs.

5. Seal possible security holes in Filevault (systems before Sierra)

(Applies only to older systems prior to macOS 10.12 Sierra) A successful attack is not known, but you never know: If you put a Macbook to sleep by closing the lid, the password for Filevault is stored in the RAM. Theoretically, someone could read this out and restore the password. To do this, however, deep knowledge and sophisticated methods are necessary, if that is to be achieved at all. So there is definitely no way for curious fellow students or casual thieves to get to the user's data. At best, government agencies would be able to do something like that.

If you are suspicious, however, Filevault can prevent the password from being stored in RAM. The consequence is bearable, if you wake the computer from sleep, you may have to enter your user password twice - and the Mac takes a little longer to wake up again.

EnlargeDeep sleep (hibernate) instead of hibernation: Here's how.

After all, he comes out of deep sleep or hibernate mode, into which we send him instead of just hibernating. So that the Macbook sleeps deeply when the lid is closed and not just dozes and does not save the password in the RAM, you have to enter the following command in the terminal:

You can undo this with the following command:

Both changes only take effect after a restart.

6. Check persistent applications

On the Mac, all kinds of apps work inconspicuously in the background, from the start of the computer until you turn it off, so-called persistent apps. These include the update checkers from Google and Microsoft, which are only noticed when they have found an update for one of the installed programs. Likewise, a number of persistent apps come onto the machine with the Creative Cloud. But malware also uses such techniques in order to be able to fly under the user's radar. Unfortunately, active applications can be hidden practically anywhere on the computer when the system is started, not just in the start objects. Monitoring the Mac for such changes is a mammoth task. But there is a remedy in the form of two tools. Knockknock, for example, checks the points in the system in which persistent apps could hide and shows the user what is going on there and who is acting there. However, Knockknock cannot provide any information as to whether the programs found are actually malware. But if you see anything besides the tools from Adobe, Apple, Microsoft and Google, you can still search the Internet to find out what the suspicious function is.

EnlargeUnfortunately, Knockknock does not reveal whether the persistent apps found are harmful.

The menu bar tool Blockblock comes from the same manufacturer. It monitors the same folders, but then reports if an application wants to persist there. But even block block is not a malware scanner, whether you allow an app to be installed or not, you have to decide for yourself - and google your decision-making basis in case of doubt.

7. Use virus protection software

Of course, the Mac is by no means such a virus-ridden platform as the Windows PC. Even Mac users who never exchange data with Windows users - including a virus that is harmless to them but a highly dangerous virus for the communication partner - should regularly use virus scanners. It's almost like in real life: you can also pass on dangerous viruses without noticing anything yourself. After Flash has ended, Java remains on the Mac as a gateway for malware, but one cannot and does not always want to deactivate this component. We have meticulously determined in the Macwelt test center which tools are good, what they cost and what benefits they bring.

8. Use two-factor authentication

Nice, so the Mac is secured, but what about iOS devices? Due to the special software architecture and the watchdogs in the App Store, the topic of malware for iOS is an even smaller one, especially since the effectiveness of security software for iPhone and iPad is enormously limited. It is best to protect your iPhone and iPad with a password that is as secure as possible and not just a four-digit PIN. However, the six-digit passcode already offers a plus in security.

A thief or a dishonest finder can then actually do nothing with a lost iPhone. Unless he succeeds in finding out the password of the iCloud account linked to the device and thus not only being able to access user data, but also being able to reset the iPhone and set it up again for himself. So strong passwords are important, "password", "123456" and "apple" are more than weak passwords.

With the two-factor authentication (2FA), which Apple has activated since iOS 9.3 (previously there was confirmation in two stages), you can effectively prevent thieves or lost property from changing the iCloud password. Because the mere attempt to log in to a new browser triggers a warning that appears on all other devices of the legitimate owner. Only when he confirms this (on a device) can the login be successful with the correct password. For example, if you get such a message on your Mac and, when you reach into your jacket pocket, discover that the iPhone is gone, there is only one thing you can do: decline. And then search for the missing iPhone via iCloud. You can then delete the device remotely, but it can no longer be found afterwards.

EnlargeTwo-factor authentication in action

Read here how to set up two-factor authentication and how it differs from verification in two stages. Not only Apple offers such a security function, also other providers such as Google, Dropbox or Microsoft. In any case, it is advisable to use the 2FA if it is offered.

9. Use VPN

Encrypting DNS is of little use if you are using your Macbook in a public network, in a café, on the market square, in the town hall. Eavesdroppers could tap your data and put you in serious trouble. So that it doesn't get that far, you can encrypt your entire Internet session by using a VPN (Virtual Private Network). You connect encrypted to the VPN provider's server, which only then forwards your inquiries to websites and services; eavesdropping becomes pointless. The intermediate station VPN does not noticeably slow down your Mac.

EnlargeVPN provide encryption and disguise your location.