Google Delivers Mac Google Earth API Plugin, But at What Cost?

UPDATE: Google has released a version of Google Earth (including the plugin) without the self-updating feature.

The Mac blogs around the ‘net are all abuzz today about Google’s release of a Mac version of the Google Maps API, but I noticed something funny when I installed it.  The plug-in is a standard Mac Internet Plug-In, meaning you can install it at either /Library/Internet Plug-Ins or ~/Library/Internet Plug-Ins.  So why does the install package prompt you for administrator credentials when you choose to install it into your home folder?  The answer lives at /Library/Google.

It turns out that when you install the plugin, the installer also installs a software update component, code-named “keystone.”  It installs the following components:

  • An application bundle at /Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle
  • A “Ticket Store” at /Library/Google/GoogleSoftwareUpdate/TicketStore/ — does anyone know what this does?  I sure don’t.
  • A LaunchDaemon that runs as root on demand, at /Library/LaunchDaemons/com.google.keystone.daemon.plist
  • A LaunchAgent (/Library/LaunchAgents/com.google.keystone.agent.plist) that runs when you’re logged in, presumably to fire up the daemon so you can receive updates without administrative privileges.

Interestingly enough, this software component is never mentioned by Google.  It isn’t an option you can deselect in the installer.  Even worse, the plugin’s uninstall instructions don’t say a thing about it.  This means that after you follow the plugin uninstall instructions, your computer is still checking in with Google’s servers to make sure that it’s up-to-date.  I’m reluctant to call this malware, but it sure seems like spyware, doesn’t it?  At the very least the installer ought to mention something.

Be cautious when installing this plugin onto any computer where security is essential.  Any software component that runs as root, such as the updater this installer installs, is another attack vector for intruders trying to get at your data.

For what it’s worth, the API plugin does work if you only copy the stuff in /Library/Internet Plug-Ins to a computer or to your user account, so it appears that you can still use the plugin in a secure environment, you’ll just have to update it yourself and not have Google do it for you.

I’ve also mentioned this on the official Google Group.

Published by

Jeff Kelley

I make iOS apps for Detroit Labs.

12 thoughts on “Google Delivers Mac Google Earth API Plugin, But at What Cost?”

  1. I thought the Google Earth embedded would be nice for my sites “directions” part, installed to OS X Tiger and while just heading to Google for documentation about how to embed it without making the user mad, I noticed 2 apps trying to connect to Google.

    As result, I uninstalled it via the tool provided in that google groups discussion link.

    Has Google become so big that it got itself disconnected from real World? I know PC users who switched to Mac just because amount of things they can’t manage on Windows. It is not “spyware” of course but imagine guys frustration when something tries to connect to net.

    If “Check for Updates” provided in Package ENABLED by default, it won’t fix too. Blame spyware black/gray hats, people barely trusts to their OS Vendor for system updates and nothing else.

    In 1990s, another company got so big that they thought they could do anything without anyone saying anything. We have all seen what happened to them. Now, whatever they do, whatever service they provide whether it is better than others or not, gets ignored. I am speaking about once gigantic untouchable internet giant, AOL.

  2. in8sworld: Yes, deleting /Library/Google, /Library/LaunchDaemons/com.google.keystone.daemon.plist, and /Library/LaunchAgents/com.google.keystone.agent.plist will remove the Google Software Update software from your computer.

  3. i think ‘sudo launchctl unload -w /Library/LaunchDaemons/com.google.keystone.daemon.plist’ will stop Google Software Updater from popping up.

    1. Yes, that will stop it from launching, but the software will still be present. Also, if you’re going to be doing that, you should also run the command on the LaunchAgent.

  4. In addition, for users who haven’t yet downloaded and run Google Earth 5, or for those who have and have removed the four files above from their system and want to reinstall GE5 but not get these items reinstalled, simply download GE5, install it (but don’t run it), and follow the following instructions …

    Locate your copy of Google Earth, control-click on the application and choose Show Package Contents from the pop-up menu. Now remove the following two files, based on starting at the top of the application bundle:

    Contents/Frameworks/KeystoneRegistration.framework/Resources/install.py
    Contents/Frameworks/KeystoneRegistration.framework/Resources/Keystone.tbz

    The first file is the python script used to install the updater service, while the second is a tar-bzip’d bundle that contains the updater service. If the source files aren’t there, Google Earth will be incapable of installing the updater service, no matter what you tell/told it on first run.

Comments are closed.