How to Check If a Mac App Is Legitimate Before Installing

Downloaded an app from a sketchy website last week? That sinking feeling in your stomach isn't paranoia — it's your instincts telling you something's off. The truth is, checking if a Mac app is legitimate before installing it takes about five minutes, but most people skip this step entirely.

I get it. You need that app now, you found a download link, and Apple's built-in security feels like enough protection. But here's what I've learned from building Mac security software: Gatekeeper and XProtect catch the obvious stuff, but there's a whole spectrum of questionable apps that slip through.

When I was testing CoreLock's process scanner, I discovered just how many apps were running on my Mac that I couldn't remember installing. Some were legitimate but poorly signed. Others were... well, let's just say I'm glad I caught them when I did.

Understanding Mac App Signatures and Notarization

Every legitimate Mac app should have two things: a valid code signature and Apple notarization. Think of the signature as the app's ID card and notarization as Apple's stamp of approval.

The signature tells you who built the app. Notarization means Apple scanned it for obvious malware and policy violations. Neither guarantees the app is safe, but both are basic hygiene checks that legitimate developers always complete.

Here's how to check if an app is properly signed. Open Terminal and navigate to where your app is stored:

codesign -vv /Applications/YourApp.app

Replace "YourApp.app" with the actual app name. If everything's good, you'll see something like:

/Applications/YourApp.app: valid on disk
/Applications/YourApp.app: satisfies its Designated Requirement

If the app isn't signed properly, you'll get error messages. That's an immediate red flag.

To check notarization status, use:

spctl --assess --verbose /Applications/YourApp.app

A properly notarized app will show:

/Applications/YourApp.app: accepted
source=Notarized Developer ID

Verifying Developer Identity

Knowing who built an app matters more than you'd think. Legitimate companies and individual developers put their real names on their code signatures. Scammers often use generic names or try to impersonate well-known developers.

You can dig deeper into the signature details with:

codesign -dv --verbose=4 /Applications/YourApp.app

This shows you the developer's full certificate information. Look for a "Developer ID Application" certificate issued by Apple. The developer name should match the company or person you expect.

I've seen fake certificates trying to mimic popular developers. Usually there's a small typo or the certificate authority is wrong. If something feels off about the developer name, trust that instinct.

Honestly, this is where it gets a bit tricky. Some legitimate open-source projects use community-signed certificates that look different from commercial software. You'll need to use judgment here.

The Gatekeeper Dialog: What It Really Means

When you first open a downloaded app, Gatekeeper shows you one of several possible dialogs. Understanding what each one means can save you from installing malware.

The best-case scenario is no dialog at all — the app just opens. This means it's properly signed and notarized, and Apple trusts it completely.

More commonly, you'll see: "macOS cannot verify the developer of [App Name]. Are you sure you want to open it?" This appears for apps that are signed but not notarized. They're not necessarily malicious, but Apple hasn't vetted them.

The scariest dialog is: "[App Name] cannot be opened because it is from an unidentified developer." This means the app isn't signed at all. Don't run it unless you absolutely know what you're doing.

If you see this last dialog and still want to proceed, you can override Gatekeeper by going to System Settings > Privacy & Security and clicking "Open Anyway" next to the security warning. But seriously, think twice.

Download Sources Matter More Than You Think

Where you download an app from is often more important than the app itself. The same legitimate software can be bundled with malware if you get it from the wrong source.

Always start with the Mac App Store when possible. Apps there go through Apple's review process, which isn't perfect but catches most obvious problems. Plus, the App Store handles updates automatically.

For apps not in the App Store, go directly to the developer's website. Don't use download sites like MacUpdate, Softonic, or CNET Downloads. These often repackage legitimate apps with adware or other unwanted software.

I learned this lesson the hard way years ago when I downloaded VLC from a third-party site. The video player worked fine, but it came with browser extensions I definitely didn't want.

GitHub releases are generally safe for open-source projects, but verify you're on the official repository. Scammers sometimes create fake repos with names similar to popular projects.

Using Activity Monitor to Spot Suspicious Behavior

Before you install any app, I always tell people to learn Activity Monitor. It won't catch everything, but it teaches you what "normal" looks like on your machine — and that's half the battle.

After installing a new app, keep Activity Monitor open for a while. Go to Applications > Utilities > Activity Monitor or just press Cmd+Space and type "Activity Monitor."

Watch for processes you don't recognize, especially ones using significant CPU or network resources. Legitimate apps usually have predictable resource usage patterns. Malware often doesn't.

Pay attention to the "Network" tab too. If a simple text editor is constantly sending data somewhere, that's worth investigating. You can see which apps are using your internet connection and how much data they're sending.

This is actually one of the things we built CoreLock to automate — it continuously monitors process behavior and alerts you to unusual patterns. But honestly, you can catch a lot just by paying attention to Activity Monitor for the first few hours after installing something new.

Checking App Permissions and Privacy Access

Modern macOS asks apps to request permission before accessing sensitive data. When you install a new app, watch carefully for permission requests and think about whether they make sense.

A photo editing app asking for access to your Photos library? Makes sense. A calculator app asking for microphone access? Not so much.

You can review what permissions you've granted by going to System Settings > Privacy & Security. Each category shows which apps have access to what. If you see something suspicious here, you can revoke access immediately.

Some malware tries to trick users into granting excessive permissions by claiming they're needed for core functionality. When in doubt, deny the permission and see if the app still works. You can always grant it later if needed.

The Reality of False Positives and Gray Areas

Here's where I need to be honest: not every unsigned or un-notarized app is malicious. I've seen plenty of legitimate software that fails these checks for various reasons.

Small developers sometimes can't afford Apple's Developer Program fees. Open-source projects might not have the resources for proper code signing. Beta software often isn't notarized yet.

This doesn't mean you should ignore security checks entirely. It means you need to use judgment and consider the source. An unsigned app from a well-known open-source project on GitHub is different from an unsigned app you downloaded from a random website.

I'm honestly not sure if this still works in Sequoia, but you used to be able to check an app's reputation by seeing how many other people were running it. This isn't a foolproof method, but it can provide context.

Advanced Verification Techniques

If you're really paranoid (and sometimes paranoia is justified), there are deeper checks you can perform.

You can examine an app's contents by right-clicking and selecting "Show Package Contents." Legitimate apps have organized internal structures. Malware sometimes has obviously suspicious files or unusually large executables.

For command-line tools, check their cryptographic hashes against official sources:

shasum -a 256 /path/to/downloaded/file

Compare this hash to what the developer publishes on their website. If they don't publish hashes, that's itself a red flag.

You can also sandbox suspicious apps using macOS's built-in sandboxing or third-party tools. This lets you test functionality without giving the app full system access.

What to Do If You Install Something Suspicious

Let's say you've already installed an app and now you're having second thoughts. First, don't panic. Quick action can usually contain any potential damage.

Start by checking what the app is actually doing. Open Activity Monitor and look for any processes related to the app. If it's using lots of network bandwidth or CPU when it should be idle, that's concerning.

Check your browser for new extensions or changed settings. Many questionable Mac apps install browser modifications that are harder to remove than the app itself.

Look at your Login Items in System Settings > General > Login Items. Malicious apps often add themselves here to start automatically when you boot your Mac.

If you find anything suspicious, disconnect from the internet before proceeding further. This prevents potential data theft and stops the app from downloading additional malware.

Then delete the app by dragging it to the Trash and emptying it. But don't stop there — use a tool like AppCleaner to remove associated files from ~/Library/ folders.

Building Better Security Habits

The terminal isn't scary once you get past the initial learning curve. I wrote my first security script in about 20 minutes, and it caught something that a paid antivirus missed completely.

Consider learning a few basic Terminal commands for security checking. The codesign and spctl commands I mentioned earlier are good starting points. You don't need to become a command-line expert, but these specific tools are incredibly useful.

For ongoing protection, consider tools that can automate these checks. Our Mac security glossary explains many of the technical terms you'll encounter as you learn more about macOS security.

Keep your system updated too. Apple regularly improves Gatekeeper and XProtect through system updates, not just major macOS releases.

The Bottom Line

Checking if a Mac app is legitimate isn't about being paranoid — it's about being informed. These verification steps take a few extra minutes, but they can save you hours of cleanup later.

The most important lesson? Trust your instincts. If something feels off about an app or its source, investigate further. It's better to be cautious and wrong than trusting and infected.

To be fair, this is probably overkill for most people who stick to the App Store and well-known websites. But if you regularly install software from various sources, these habits become essential.

Remember that no security measure is perfect. Even properly signed and notarized apps can have security flaws or malicious behavior that Apple missed. These checks are just the first line of defense, not the last word on app safety.

If you want to learn more about comprehensive Mac protection beyond just app verification, check out our guide on how to protect your Mac for additional security measures that actually matter.