Are you getting more than you bargained for from free software? Wayne Williams explains how to download the programs and apps you want, without any nasty surprises
When we look for programs to include in our Best Free Software section each issue, we endeavour to find software that is new, free and not dangerous to your PC’s health. Unfortunately, these days a lot of free downloads come bundled with ‘crapware’ or have limitations that might not be immediately obvious at first glance. A system tool might, for example, find problems with your PC, but require you to upgrade to a paid-for ‘pro’ version before it can fix them. Is it unreasonable to expect something that is described as ‘free’, to actually be free? We think not, but fortunately there are ways of avoiding the various tricks and traps to ensure that you only download ‘pure’ free software and apps.
In this feature, we provide tips and advice on avoiding unwanted extras, look at how ‘free’ apps might end up costing you a small fortune, and reveal how to find out if a program is clean or not, before you download it.
Why you can't trust download sites
When you want to download a free program, you can either get it from the author’s site, or from a public software repository such as Download.com (download.cnet.com). Developers like to have their programs hosted on these sites, because it reduces the amount of bandwidth they have to pay for. If a developer is offering a free program, every time someone downloads it from their site, it eats into their bandwidth allocation, and may cost them money. But if someone downloads it from another source, they don’t have to worry about bandwidth costs, and can also get the program to many more people than they would from hosting it privately.
Sadly, in recent years, sites you could once trust to give you the software you want without any catches have turned to the dark side. This is primarily because they need to cover their costs and advertising may not generate enough revenue. As a result, the majority of download sites now offer programs with bundled crapware, or PUPs (potentially unwanted programs). Download.com is probably the worst offender, because it uses its own installer, provided by parent company CNET. This offers a ton of unwanted and often intrusive junk before you even get to install the software you want, and makes rejecting the bundled extras difficult by using sneaky tricks, such as making the ‘Decline’ button appear greyed out. Thankfully, not every program on Download.com uses this installer, but a huge proportion does, despite widespread criticism. As a rule, if the Download Now button for a program has Secure Download below it, you’ll be fine, but if it’s labelled Installer Enabled you should click the ‘Direct download’ link instead. If you can’t see one, get the program from another site instead.
Interestingly, we’ve found that downloading programs in Chrome seems to bypass the Download.com installer in most (if not all) cases. But if you use Firefox or another browser, you should be extra careful. As an experiment, we downloaded the media player KM Player from Download.com in Firefox, by clicking the Installer Enabled download link. If we hadn’t clicked Decline when installing the program, our homepage, search engine and New Tab page would have been changed to Yahoo in all our browsers.
Tucows (www.tucows.com) also bundles junk with the programs it offers for download, and has been described by the tech-tips site How-To Geek as “an abomination that should be removed from the internet - almost everything in their top downloads list is a scammy fake scareware application” (bit.ly/tucows369). Even the respected open-source repository SourceForge has a scheme called DevShare (sourceforge.net/devshare) that pays developers if they agree to allow their software to include “other relevant offers” during the installation process. Many developers who are struggling to make ends meet find it hard to say no to a program that promises to turn “project downloads into a source of recurring monthly revenue”, especially if all they have to do is agree to let it happen. However, other developers dislike the deceptive nature of the bundling process and prefer to fund the development of their free software through voluntary donations.
Even download sites that don’t wrap programs in their own crapware-infested installers can’t be fully trusted. The problem is that, even if a download site plays things as straight as possible, it may still offer programs with bundled extras, purely because so many ‘freeware’ developers now go down the bundleware route to make money. The download sites might (and should) alert you to the fact that a program comes with ‘offers’, but the chances are they won’t shout about it, so you’ll need to keep your eyes peeled.
How to avoid unwanted extras
Where possible, don’t download programs from sites such as Download, com or Tucows, but instead get them from the software author’s site. This won’t guarantee that they are free from bundled junk, but at least you won’t have to worry about a third-party installer serving up adware or other unwanted surprises. Some programs come in both installer and portable versions, for example Web User favourite CCleaner offers a choice of ‘builds’ at www.piriform.com/ccleaner/builds. Selecting the portable option will ensure you get only the software you want, because there’s no way for bundled programs to be installed if there’s no installer in the first place. If you can't find a portable version on the author’s site, try browsing the impressive selection of installer-free software at PortableApps.com (portableapps.com).
Another option is to download and install software though Ninite (ninite.com). This excellent site offers the latest versions of dozens of popular programs including web browsers, messaging tools, media players, imaging software, security programs, online storage and more. Select all the software you want from the website and click Get Installer. Ninite will then generate a single installer that will install your chosen programs in the simplest way possible, and without any fuss. Most importantly, all the programs offered are completely free of bundled toolbars, browser hijackers and other rubbish. You won’t find everything you want at Ninite, but it’s a more trustworthy means of downloading big software names than the likes of Download.com. Alternatively, try Chocolatey (chocolatey.org), which isn’t as simple as Ninite (it uses the Command Prompt in Windows rather than a standard interface), but is even faster. It lets you download junk-free installers for thousands of popular programs from its website, including Adobe Reader, Paint.NET and VLC Media Player, by entering a command such as choco install vlc. Chocolatey takes a while to get used to, but it’s an effective means of avoiding devious installers.
When you download a program installer from a website, it’s vital to pay close attention during the installation process - don’t just keep blindly clicking the Next button. Always select the Custom install option, rather than the standard (‘recommended’) choice as this will reveal any hidden, automatically installed rubbish. It’s also worth installing the brilliant free tool Unchecky (unchecky.com), which runs quietly in the background and only springs into life when you try to install a program that includes bundled junk. It automatically deselects any pre-ticked boxes that aren’t relevant to the software you’re installing, and additionally blocks any potentially unwanted system or browser changes. You do still need to keep your wits about you while installing programs, because as good as Unchecky is (and it’s updated regularly), it isn't infallible and can miss things.
Download free software not 'freemiun'
There used to be three main categories of software - free, paid-for, and demo/shareware, but now there's another to watch out for. Freemium, first coined in 2006, is a term made up from the words ‘free' and ‘premium', and describes software which is free to use, with no time restrictions, but which offers paid additions that expand or improve the experience. Freemium games are a great example of this model. The game is given away free, and can be played without costing you a thing. However, you're likely to have limited resources that quickly run out, which means you have to keep taking breaks from playing while you wait for them to build up again. The process can be speeded up by spending real money - again and again. Other freemium games charge money for supplementary items, such as character clothing. A freemium game might be free to download, but you can end up spending a fortune in the long run, especially as many of these games are aimed at younger players who may not think twice about how much their in-game purchases are costing mum and dad. Only a small percentage of freemium users end up buying something, according to Freemium.org (www.freemium.org), but those that do can get milked for every penny.
It’s not just games that use the freemium model - there are plenty of programs which are free, but which charge you for additional features. These aren’t as bad as freemium games, however, because the upgrades tend to be a one-time thing, rather than a regular occurrence.
The trick to avoiding these is to look out for tell-tell ‘Buy Now’ links on the website and in the software. Make sure you find the right download button for the free version (some developers produce free and freemium versions of their software, but make the former harder to find). Instead of using Google to find programs, use a trusted source such as AlternativeTo (alternativeto.net), which highlights whether a program is commercial, free, open-source or freemium.
Avoid apps with in-app purchases
Late last year, the Apple App Store replaced the ‘Free’ button next to iOS apps with no upfront cost with a ‘Get’ button. That’s because many so called ‘free’ apps have a cost in the form of in-app purchases. When browsing the store, you'll see there are three variations of this ‘Get’ button. There’s the plain ‘Get’, which denotes an app is free, there’s ‘Get+’ (a small plus sign in the upper left corner), which means that app is universal and available for iPhone and iPad, and then there’s ‘Get - In-App Purchases’, which means - you guessed it - that you might have to spend money at some point.
If you’re browsing the App Store on your iPhone or iPad, select the item you’re interested in and scroll down to the In-App Purchases section. Open this to view the list of potential costs. If you’re viewing the store in iTunes, the In-App Purchases are listed on the left.
Although you may be able to resist spending money on these extras, it’s likely that your children or grandchildren won’t be as strong willed. Obviously, they’ll need to know your App Store password (or for you to be logged in permanently), but if you want additional protection you can disable in-app purchasing altogether. Go to Settings, General, Restrictions and tap ‘Enable Restrictions’. You’ll be prompted to enter a Restrictions Passcode. This should be different from the passcode you use to unlock your device. Scroll down and make sure ‘In-App Purchases’ is selected. If you want to disable purchasing completely, turn off ‘iTunes Store’, ‘iBooks Store’, and ‘Installing Apps'.
If you have an Android device, apps that offer in-app purchases will be labelled as such. You can see a summary of costs listed under ‘In-app Products’ in the ‘Additional Information’ section of the app description. It might not tell you exactly what each purchasable item is, or its cost, but instead provide a price range from the cheapest to the most expensive. Additionally, before you install something through the Play Store app on your device, you’ll see the in-app purchases listed on the ‘App permissions’ screen.
To prevent in-app purchases on Android, Google recommends password-protecting the Play Store app. Open the app, tap the Menu icon and open Settings. Select ‘Require authentication for purchases’ and choose ‘For all purchases’.
Scan files for surprises before downloading
Downloading a program you’ve never heard of, from a site you’re not familiar with, is a risky business. Although your anti-virus software should protect you from any hazardous malware, there are steps you can take before you even get to the downloading stage. The free online tool VirusTotal (www.virustotal.com), which is owned by Google, can check any file against more than 50 top anti-virus engines, including big names such as AVG, Bitdefender, F-Secure, Kaspersky, Malwarebytes, Panda and Sophos. But more importantly, it can check a site or download URL, so you can be sure the file is safe before you click the Download button. Just copy and paste the web address into the box and click ‘Scan it!’.
If you want to make sure a file hasn’t been tampered with - for example, when malware has been added to a harmless program - you can use MultiHasher (www.abelhadigital.com/multihasher) to analyse it for changes to its ‘checksum’ (a unique identifying code). The program also lets you run a query through VirusTotal.
Program installers usually display an EULA (End User Licence Agreement) at the beginning of the installation process. If you check this carefully -something few of us do, unfortunately - you might find a second EULA for an ad network, which is responsible for bundling crapware with the program you want. OpenCandy is notorious for this. To avoid being tricked by crafty EULAs, you can use the excellent free tool EULAlyzer (bit.ly/eulalyzer369) to skim through the agreement for you. It will display any potential areas of concern in the EULA, so you can abandon installation if the terms sound suspicious.
Look out for verified clean software
People are understandably wary of downloading free software when there’s the risk of getting unwanted junk bundled in with it, and there’s usually no way of knowing whether a download is free from crapware until you come to install it. This is where initiatives like the Clean Software Alliance, a proposed initiative from Microsoft and the Anti-Malware Testing Standards Organisation (www.amtso.org), come in. The idea is that if a software firm agrees not to bundle unwanted extras with their programs, they can display a logo that shows their applications to be clean. Digital Exhaust and Coordinated Malware Eradication are similar ideas.
Unfortunately, not much seems to be happening with these initiatives at the moment, but hopefully things will progress in the future.
Many download sites also display ‘100% clean of malware’ verification badges next to programs, although that doesn’t necessarily mean that they won’t come with bundled extras.
NAMED AND SHAMED - 5 of the worst bundled surprises
uTorrent
The popular BitTorrent client uTorrent included a Bitcoin-mining tool called Epic Scale in its installer, which uses a host’s system to earn money for third-party companies.
Superfish
Chinese computer giant Lenovo bundled Superfish adware on a number of its consumer notebooks last year, and it’s also been detected in more than 200 browser add-ons (bit.ly/superfish369). Superfish breaks HTTPS security, making webmail and online banking vulnerable.
Comodo
Security firm Comodo promoted a program called PrivDog which replaces adverts in web pages with its own ads from ‘trusted sources’ and which, like Superfish, breaks the security of HTTPS connections. Comodo didn’t distribute the dangerously insecure version of the software, but the fact it did distribute a version is bad enough.
Lavasoft
Publisher Lavasoft used SSL Digestor, a flawed traffic interception engine from Komodia, in its Ad-Aware Web Companion privacy software. The same sub-component was used in Superfish. Even after it was removed in an update, traces remained.
CNET
The owner of popular download site Download.com was found to be including several HTTPS-hijacking adware in its installers. You can read more about it at How-To Geek (bit.ly/howtogeek369)
Worried that you might be affected by one of more of these nasty surprises? Go to filippo.io/Badfish/ and it will test your browsers for these vulnerabilities.