Effective date: May 31, 2026
macCurrent is an unsandboxed Mac utility because supported updates may require reading installed application bundles, writing replacement apps into /Applications, opening package installers, or using administrator authorization for protected locations.
Privacy and telemetry
Usage analytics is opt-in and independent from hosted catalog lookup. A fresh install sends no client metrics until you explicitly enable Usage Analytics in first-run setup or Settings.
When enabled, macCurrent sends a random per-install identifier to api.maccurrent.com with launch and broad update outcome details. Client metrics do not include app inventory, app names, bundle identifiers, app paths, local usernames, serial numbers, hardware IDs, or raw issue text.
Update metadata
macCurrent rejects cleartext update metadata. Sparkle appcasts, Electron updater metadata, Mozilla version metadata, hosted catalog URLs, and direct download metadata must use HTTPS. Download redirects are rechecked before following them.
Release verification
macCurrent direct beta releases are distributed as Developer ID signed and Apple-notarized artifacts. The public release manifest includes checksums for the DMG and ZIP, and the Sparkle appcast includes EdDSA signature metadata for in-app macCurrent updates.
Downloaded artifacts
For Sparkle-managed third-party apps, macCurrent reads the installed app's public EdDSA key, parses the appcast archive signature and length, and verifies the downloaded archive before installation or opening a package. Sparkle updates without required signature metadata are rejected.
macCurrent also rejects served downgrades when the extracted replacement app is older than the installed app.
Installation trust
Before replacing an application bundle, macCurrent validates that the replacement bundle identifier matches the installed application and that the replacement signing team matches the installed app's verified team identifier. If the installed app's team identifier cannot be verified, macCurrent does not perform an automatic replacement.
For package installers that can be verified as trusted vendor packages, macCurrent may run the installer. Untrusted packages are opened in Installer for user review instead of being installed silently.
Process execution
macCurrent launches tools with argument arrays rather than shell command strings. External process output is captured for diagnostics and surfaced in recent activity when an update fails.
Backups, restore, and cleanup
For eligible direct replacement updates, macCurrent can create a path-aware backup of the existing app before replacing it. Backup retention is user-configurable in Settings, up to three backups per app identity, and restore actions are scoped to the selected app.
Uninstall cleanup is limited to macCurrent-owned support files, preferences, cached installers, local catalog data, launch agents, and related Library files.
Known limits
macCurrent cannot verify every vendor updater end-to-end because many vendors control their own update tools and package formats. In those cases, macCurrent hands off to the vendor updater, the Mac App Store, Homebrew, Microsoft AutoUpdate, Google Software Update, Adobe Remote Update Manager, Docker Desktop, or Installer.
Review status
Internal review and automated checks cover the current beta's download, verification, install, telemetry, and release paths. An independent external security review of the privileged install path has not yet been completed, so macCurrent does not claim third-party audit status.