At Quora, I occasionally play, “Ask the expert”. Hundreds of my Quora answers are linked at the top right. Today, I was asked if it is safe to use free, online services that convert between file formats. For example, many web services allows you to upload a JPEG image and get back a PNG file. Others convert between DOC and PDF, or between popular video or audio formats.
Some of these services include additional processing. For example, stringing separate images together into a single animated GIF file—or rotating pages and adding a password within a PDF file. If you don’t have a locally installed program that does these things, is it safe to use these free, online services?
And what about apps that you download and install? These present separate risks. But, with a little common sense, you can figure out which ones you can trust…
The short answer: It depends on the file type. A JPEG file that is processed via an online service is safe. SVG is not.
A More Complete Answer…
There are three factors that relate to the safety of free online file converters:
- Is the target file type passive? That is, is it a data-only file that you will open with your own application. But watch out! Most—but not all—media formats (files that store pictures, music or video), cannot contain malicious code, unless you are tricked into opening them with the wrong program. Most of these formats simply direct your application to present pictures to your screen or audio signals to the speakers, without launching other apps or executing code that reads or writes to your device. But there are exceptions. Some popular formats support scripts, which are a form of program instructions. And, rarely, you may even be susceptible to execution of a data only file.
Additionally, you might be fooled by a clever screen image that appears to be created by your browser or operating system. It’s just a picture, but it sure looks like a user window with instructions.
- Is there anything sensitive in your source material? (i.e. is your file confidential or embarrassing?). If so, it will be in the hands of strangers for all time. Do not use an online service to convert or store the file, unless it is first encrypted on your own device.
- Is there possibility of misdirection or error during the process? That is, could you be tricked into uploading the wrong file or revealing more information than you intended? For example, with deceptive tactics, a web service might slip you a routine that fools with your file associations. Now, a file ending with .JPG is no longer interpreted as an image, but contains an active and malicious threat.
Don’t be fooled by this chicanery! Your browser is the only trusted way to download a data file. It has the most advanced and up-to-date tools to achieve this simple task. With few exceptions, download managers or installers that run outside of the normal process contain malware that threatens your data and your entire network.
Disambiguation: That last warning is about apps installed on your device, rather than online services. But, how can a non-techie be secure in their decision to download or install an app? Here is way to think about your options and safety: The maker of your app should fall into one of these two categories:
- The vendor has a lot to lose if they fail to fully vet the context and security of an executable. This is typically true of large, audited, publicly funded companies like Adobe, Amazon, Citrix or Google. (Being big does not inherently make them trustworthy, but it makes them careful to verify claims against internal practices).
- —OR— The executable is offered via a reputable open source community with a broad base of technical and critical developers. It helps if developers are rewarded for finding and reporting bugs.
Online file conversion services fail these tests—But they are not locally installed apps. Remember, these last two tests are intended for apps that you plan to install, whereas online file-conversion services simply process data and return it to you. So to protect yourself from file-conversion programs that you download and install, you must ensure that they don’t install or interact with your other applications and data.
One way of ensuring this is to run in a sandbox or protected environment (as if you maintained a separate PC for use only with file conversions). The more practical way is to educate yourself on the vendor’s practices, reputation and history. A dedicated file conversion utility should interact only with files you select—and only to generate passive content that you open with your own applications.
 Even data-only files can be exploited. For example, malware can use a “buffer overrun” weakness to treat some of the music or photo data in your files as executable program code. But don’t worry. Although this might seem impossible to defend, such opportunistic exploits are unlikely if you have good antivirus protection, and if allow your trusted applications to update regularly.
 In very limited circumstances (i.e. adding an authorized music player that assists iTunes or Amazon) might be part of the providers ecosystem. But just as with any program that you obtain from a retailer, they should only be installed from rock-solid sources, such as the maker of your operating system or browser (Apple, Microsoft, Google) or from highly reputable, open-source projects.
Additional reading about SVG file format: