Improving Finder’s UI for safer double-clicking.
John Gruber drops, in his accessible, accurate style, some knowledge about The Safari Shell Script Execution Exploit (for reference, here’s the Internet Storm Center’s take on the vulnerability). The exploit, in essence, is a combination of a dangerous Finder feature and a lack of user feedback about that feature. One of Gruber’s suggestions to Apple is to explicitly tip off the user when a JPEG file is configured to “Open With” some other application:
Apple should consider addressing this in the Finder, by, say, adding some sort of visual treatment around application icons, which would provide some measure of warning for malware apps posing as documents — if there were some sort of halo around applications and you saw such a halo around a malware app posing as a JPEG, you’d have a visual indication that it’s not really a JPEG.
My initial reaction is that a halo doesn’t tell you what’s wrong with the file, just that something’s wrong. It’s the UI equivalent of a string around your finger: only useful if you remember (or ever knew) what the string was for. And don’t forget that, sometimes, the user has deliberately chosen a non-default “custom opener” application for one of her files; we don’t want to put “DANGER! DANGER!” stripes on that icon. The indicator should be meaningful enough to indicate a surprising (and possibly dangerous) state of affairs, while not implicitly damning a state the user is aware of.
In other words, we need to tie a string on the user’s finger, but we must also attach a tag at the end of that string. Apple’s icon design guidelines give us a clue as to what the tag might be:
Traditionally, a document icon looks like a piece of paper with its top-right corner folded down. As previously suggested, Aqua document icons should make it obvious which application they are associated with. Preview documents, for example, include a graphic of the media (the pictures) used in the application icon. For simplicity and to avoid confusing the document with the application itself, the viewing tool is not repeated in the document icon.
In the case of docs with custom openers, the potential deviation between the document and the application is exactly what we want to highlight. Apple’s HIG, which advises against sticking the app in the document icon, works in our favor here, because we can unambiguously signal that Something Is Different About This Document by our inclusion of the app icon as its own badge. Here we go:
In this quick and dirty mockup, I make explicit use of Apple’s strong warnings against including the application’s icon at all, as well as adding a badge as an overlay rather than an integrated design element. Normal icons should have neither of these features, which is why this design works so well: it screams, this is not a normal icon. It has the icon of an application (perhaps an unexpected one!) applied as a badge; furthermore, that badge is a floating overlay, further underscoring the fact that the presence of a custom opener is exceptional and not intrinsic to the document type.
Discuss.