Google Earth Now Available Without Automatic Updates

A while back I blogged about Google Earth’s stealthy, silent automatic update feature. That post continues to be pretty popular, so I wanted to share an update: Google has released a version of Google Earth, including the Web plug-in, that does not include the self-updater. On the download page, the EULA features this paragraph:

(b) Automatic Updates. The Google Earth software may communicate with Google servers from time to time to check for available updates to the software, such as bug fixes, patches, enhanced functions, missing plug-ins and new versions (collectively, “Updates”). By installing the Google Earth software, you agree to automatically request and receive Updates.

However, if you navigate to the advanced setup page, there’s a box you can un-check labeled “Allow Google Earth to automatically install recommended updates.” This box directs you to a separate download that does not include the updater. The EULA, however, does not change when you deselect it. I don’t think that really matters as much in the grand scheme of things, so I’ve really got to give Google some kudos here for listening to systems administrators and concerned users on this one.

Automatically get the latest Chromium snapshot with launchd

I’ve been checking out the snapshots of Chromium recently, and they’re coming quicker than you can say “multithreaded web browser.” To facilitate always having the latest version, I wrote a quick LaunchAgent that takes care of it on Mac OS X. First, I have a script named ~/bin/chromiupdate:

#!/bin/bash

# Downloads the latest version of Chromium.

remove_working_dir()
{
    rm -rf "${WORKING_DIR}"
    exit 0
}

USER_DIR=$(dscl . -read /Users/$(whoami) NFSHomeDirectory | awk '{ print $2 }')
USER_APP_DIR="${USER_DIR}/Applications"
CHROMIUM_DIR="${USER_APP_DIR}/Chromium.app"
LATEST_URL="http://build.chromium.org/buildbot/snapshots/sub-rel-mac/LATEST"
TMP_DIR="/private/tmp"
WORKING_DIR="${TMP_DIR}/.chromium_launchd"
URL_BEGIN="http://build.chromium.org/buildbot/snapshots/sub-rel-mac"

if [ ! -d "${CHROMIUM_DIR}" ]; then
    mkdir -p "${CHROMIUM_DIR}"
fi

INSTALLED_VERSION="$(defaults read "${CHROMIUM_DIR}/Contents/Info" SVNRevision)"
VERSION=$(curl "${LATEST_URL}")

if [ "${VERSION}" != "${INSTALLED_VERSION}" ]; then
    logger Installed Chromium version \(${INSTALLED_VERSION}\) does not equal \
            latest version \(${VERSION}\), updating now...
    mkdir "${WORKING_DIR}" || exit 1
    trap remove_working_dir 1 2 3 6 15
    cd "${WORKING_DIR}" || exit 1
    curl -O "${URL_BEGIN}/${VERSION}/chrome-mac.zip"
    unzip chrome-mac.zip
    rsync -HavP --exclude="Contents/MacOS/chrome_debug.log" \
          "${WORKING_DIR}/chrome-mac/Chromium.app/" "${CHROMIUM_DIR}/"

    if [ "$(ps -aef | grep -i chromium | grep -v grep)" != "" ]; then
        open "${USER_DIR}/Library/Scripts/Chromium Update Dialog.app"
    fi

    logger "Chromium update complete. Version ${VERSION} installed."

    remove_working_dir
else
    logger Installed Chromium version \(${INSTALLED_VERSION}\) is up-to-date. \
           No action needed.
fi

exit 0


Next, I have a property list named ~/Library/LaunchAgents/com.slaunchaman.chromium.plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC -//Apple Computer//DTD PLIST 1.0//EN http://www.apple.com/DTDs/PropertyList-1.0.dtd >
<plist version="1.0">
    <dict>
        <key>Label</key>
        <string>com.slaunchaman.chromium</string>
        <key>Program</key>
        <string>/Users/slauncha/bin/chromiupdate</string>
        <key>KeepAlive</key>
        <false/>
        <key>StartInterval</key>
        <integer>3600</integer>
        <key>RunAtLoad</key>
        <true/>
        <key>StandardOutPath</key>
        <string>/dev/null</string>
        <key>StandardErrorPath</key>
        <string>/dev/null</string>
    </dict>
</plist>

Finally, I have an AppleScript at ~/Library/Scripts/Chromium Update Dialog.app:

display dialog "Chromium was just updated. You should restart it."

The LaunchAgent runs once an hour, checking to see if the installed version of Chromium is older than the latest snapshot. If so, it downloads it and uses rsync to copy the changes. The script places Chromium in ~/Applications, but it shouldn’t be hard to modify to put it into /Applications.

Google Delivers Mac Google Earth API Plugin, But at What Cost?

UPDATE: Google has released a version of Google Earth (including the plugin) without the self-updating feature.

The Mac blogs around the ‘net are all abuzz today about Google’s release of a Mac version of the Google Maps API, but I noticed something funny when I installed it.  The plug-in is a standard Mac Internet Plug-In, meaning you can install it at either /Library/Internet Plug-Ins or ~/Library/Internet Plug-Ins.  So why does the install package prompt you for administrator credentials when you choose to install it into your home folder?  The answer lives at /Library/Google.

It turns out that when you install the plugin, the installer also installs a software update component, code-named “keystone.”  It installs the following components:

  • An application bundle at /Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle
  • A “Ticket Store” at /Library/Google/GoogleSoftwareUpdate/TicketStore/ — does anyone know what this does?  I sure don’t.
  • A LaunchDaemon that runs as root on demand, at /Library/LaunchDaemons/com.google.keystone.daemon.plist
  • A LaunchAgent (/Library/LaunchAgents/com.google.keystone.agent.plist) that runs when you’re logged in, presumably to fire up the daemon so you can receive updates without administrative privileges.

Interestingly enough, this software component is never mentioned by Google.  It isn’t an option you can deselect in the installer.  Even worse, the plugin’s uninstall instructions don’t say a thing about it.  This means that after you follow the plugin uninstall instructions, your computer is still checking in with Google’s servers to make sure that it’s up-to-date.  I’m reluctant to call this malware, but it sure seems like spyware, doesn’t it?  At the very least the installer ought to mention something.

Be cautious when installing this plugin onto any computer where security is essential.  Any software component that runs as root, such as the updater this installer installs, is another attack vector for intruders trying to get at your data.

For what it’s worth, the API plugin does work if you only copy the stuff in /Library/Internet Plug-Ins to a computer or to your user account, so it appears that you can still use the plugin in a secure environment, you’ll just have to update it yourself and not have Google do it for you.

I’ve also mentioned this on the official Google Group.