AmazonMP3: Avoiding the silly auth-requiring installer.

AmazonMP3 includes a neat little downloader app that integrates the web buying experience with iTunes for album based downloads. Upon purchase of an album, Safari downloads a little document file (.amz file) that contains a description of the tracks you just boat. The downloader application then does a bit of handshaking and downloads the tracks, automatically adding ’em to your iTunes library if you have said preference enabled.

Amazon decided to package the application into some installer app that requires authentication to install the downloader helper. But there doesn’t seem to be any reason why admin access is required for the downloader helper and, as such, all this is doing is creating an unnecessary barrier to entry.

What about amazon customers that don’t have admin access to the machine? How about customers that, on principal, don’t run installers that require admin access unless there is a damned good reason to do so?

Boo.

As it turns out, if you ctrl-click on Amazon MP3 Installer.app in the Finder and “Show Contents”, then browse into the “Contents/Resources” folder, the downloader application is sitting right there in all its ready-to-run glory.

Drag and drop that wherever you want. LaunchServices should [eventually] figure out that something exists that can open “.amz” documents and, thus, it’ll all just work.

Drag-n-drop install ftw.



8 Responses to “AmazonMP3: Avoiding the silly auth-requiring installer.”

  1. Brad Mohr says:

    I think they use an installer so that they can write the LSRiskCategoryExtensions default for the .amz file (so it can auto-open).

  2. Brad Mohr says:

    Oops. I meant to write “add .amz to the LSRiskCategorySafe” category. Of course, this should be optional anyway and could be done by the downloader app itself.

  3. Joseph says:

    Sure it’s dumb that the installer requires a password, but is this really necessary? Why jump through all the hoops?

  4. bbum says:

    (1) If there is no need for an installer, don’t have an installer. Drag and drop installs are better and the user is then given the option to drop the app anywhere they want.

    (2) Lots of potential music buyers do not have admin access to the machine. College students. Kids at home. Etc… See (1), but in the context of “do not impede the customer’s ability to give you money”.

    (3) If there is a security hole in the installer, the fact that it authenticates means that said security hole could easily result in total p0wnage of the user’s machine.

  5. Ian says:

    I am sorry, but how is it easier to ctl-click the package to see the show contents command in order to obtain access to the app so that it is then possible to drag and drop it.

    Point one: the typical Mac user is not your a reader of your website. I think it is proper to train him/her in to building good security habits when dealing with software and its installation.

    Second: About users who do not have admin access. I do not want non-authorized people adding software to my computer. Once again good security habits. They need to find a admin or buy their own Mac. Above all for applications that involve spending money over the Internet. That means parents can control what their kids are doing.

    Third: about users that, on principal, don’t run installers that require admin access unless there is a damned good reason to do so.
    There is a good reason – Security. Amazon should perhaps (maybe they do – I have not installed the software) mention what happens when the installer is run. In any case users savvy enough to avoid such installers on principal are capable of finding alternative methods or doing more research.

    Ian

  6. bbum says:

    It isn’t easier to go poking about the package and I never intended to imply that it was.

    The point is that Amazon is needlessly adding inconvenience and security risks to an otherwise solid service.

    Requiring authentication when it isn’t necessary is not only not a good security habit, it is actually a security risk! Unless the code is 100% perfect — not just Amazon’s, but all of Apple’s, too — any act of authentication creates a window of heightened security risk.

    About users who do not have admin access. I do not want non-authorized people adding software to my computer.

    The whole point of a non-admin account is that it prevents the user from damaging your computer. They can muck up their user account as much as they want, but there should be no way for a non-admin user to install software that messes up other user’s accounts. If there is, then file a bug. In any case, unless you ban a non-admin user from downloading anything off the web, they’ll be able to “install” software — run it, really — all day long.

    Authentication-upon-install is all about security, but not the kind you seem to think! It isn’t about preventing users from doing stuff, it is all about allowing the installer to do stuff that the current user does not have the rights to do — install kernel extensions, drop a launchd plist somewhere, add shared resources for all users to /Library, etc…

  7. no_barcode says:

    Thank you. This was very helpful to me.

    I don’t like “auto-installing” anything on my iMac. Especially if the installer asks me to log it in as an administrator. In this case, I couldn’t see any reason why the installer would need admin access. I realize that they want to associate the queue file with the downloader so it opens for you. But how do I really know that’s all it was going to do? Maybe there’s a way to tell, but I’m not that savvy, so I’d rather err on the side of caution. It should be an option in the installer, like a checkbox that says, “[ X ] Yes, automatically open queue files for me. (requires administrator access)” or something.

    Got my album downloaded without auto-installing, just fine.

    Thanks again!

  8. no_barcode says:

    Thank you. This was very helpful to me.

    I don’t like “auto-installing” anything on my iMac. Especially if the installer asks me to log it in as an administrator. In this case, I couldn’t see any reason why the installer would need admin access. I realize that they want to associate the queue file with the downloader so it opens for you. But how do I really know that’s all it was going to do? Maybe there’s a way to tell, but I’m not that savvy, so I’d rather err on the side of caution. It should be an option in the installer, like a checkbox that says, “[ X ] Yes, automatically open queue files for me. (requires administrator access)” or something.

    Got my album downloaded without auto-installing, just fine.

    Thanks again!

Leave a Reply

Line and paragraph breaks automatic.
XHTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>