Downloading a piece of software can never be 100% safe, but there are some things that could make something less risky. Some things that seem important to me are whether the project is open-source, how wide its user base is, and whether the developer(s) make their public identity known, and whether it’s on a secure platform like GitHub (I’m assuming GitHub tries to have good security).
One of my main ones and something that’s extremely overlooked is sandboxing. On macOS enabling the sandboxing is optional for developers, so most of them choose not to if they’re not distributing on the App Store.
On Linux you have flatpak and snap, but even if developers choose to distribute using those they tend to give very broad sweeping permissions to their app by default.
On windows there’s not a great solution for sandboxing at the moment but they’re working on Win32 App Isolation.
How do I tell whether a software allows sandboxing? I use Linux.
Does this work for any piece of downloaded software, not just ones from the app store?
Flatseal should work for any Flatpaks, you can also use the terminal to manage their permissions. I think in Ubuntu it shows you each Snap’s permissions in the settings? I haven’t used Ubuntu in a long time sorry.
There’s usually a mix of Flatpak/Snaps and like “native” packages so it won’t work for those.
I believe snaps offer permission prompting like android/ios but you have to enable the feature. I think it’s experimental?
To answer the main question as briefly as possible, open-source software.
For extra peace of mind, using Android as example. Once I have downloaded an apk from Github, I check it’s SHA-256 to make sure it matches.
Then I submit the apk file through to VirusTotal to scan, to see if it flags up any know malicious code.
Obviously this isn’t bulletproof, but something you could do if you need extra reassurance.
Is UWP dead?
Yes, it’s deprecated since quite some time now.
In classic windows fashion lol. I hope Win32 app isolation has more staying power.
Personally, vendor reputation and any recent ownership changes are the most important. Oh! Sometimes the country of the vendor.
Vendor reputation: Once Norton started installing crypto miners with their software they lost all credibility. Avast is also part of that conglomerate and they were fined for selling users’ data without consent.
Ownership changes: The developer of “I Don’t Care About Cookies” browser extension duly informed users of its acquisition by Avast. But trust issues with Avast/Gen Digital conglomerate led to a fork, “I Still Don’t Care About Cookies”
Vendor Country: Many people think Kaspersky is under FSB influence. Some people don’t trust Ventoy because the dev is based in China. Ventoy is opensource but some users raised security concerns. The source tree contains binary blobs without source code. If the dev was based in the West, I don’t think the blobs issue would be a big deal.
It will only work for Flatpak, and nearly all public Flatpaks are uploaded to Flathub.
But the permission system of Flatoaj itself, is independent of the store