Google to lock down Chrome extensions

Chrome Web Store apps will be subject to tighter controls

Google is taking action to improve the trustworthiness of the Chrome Web Store, adding new security controls and clamping down on insecure practices.

The Chrome Web Store, which allows users to add extensions to their desktop browser, has a somewhat patchy reputation for security, and has frequently been found to be hosting malicious extensions that silently spy on users and steal their data.

The tech giant is aiming to stamp this out, and is introducing new privacy and security features such as a more stringent permissions system. The new system will allow users to specify if they want to allow extensions to run on all sites, on specific sites, or to only run when the extension is clicked.

The change is part of Google Chrome Version 70, which is due to hit general release this month.

Advertisement - Article continues below
Advertisement - Article continues below

Google is also keeping a closer eye on extensions, effective immediately, and the more permissions an extension asks for, the longer Google will take to review it. The company is placing particular importance on extensions that rely on remotely-hosted code, Chrome Extensions product manager James Wagner said in a blog post, and advised that developers make sure their extensions ask for as few permissions as possible.

Effective immediately, obfuscated code is also banned from the Chrome Web Store altogether. 

"Today over 70% of malicious and policy violating extensions that we block from Chrome Web Store contain obfuscated code," Wagner said. "At the same time, because obfuscation is mainly used to conceal code functionality, it adds a great deal of complexity to our review process. This is no longer acceptable given the aforementioned review process changes."

Extensions that feature obfuscated code will not be allowed to be submitted to the web store, and existing extensions that use it have 90 days to replace it before they are removed.

In addition to the security benefits, the removal of obfuscated code will likely bring performance benefits, as obfuscation usually incurs increased execution times on the host machine.

From next year, the company will also force Web Store extension developers to use two-factor authentication to protect their accounts, with a view to preventing criminals from hacking the accounts of popular extension developers and using their extensions to deliver malware.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now


cloud computing

Google adds partners to real-time translation tools

8 Jan 2020

The IT Pro Products of the Year 2019: All the year’s best hardware

24 Dec 2019
search engine optimization (SEO)

Google is getting worse as it does more

21 Dec 2019
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Most Popular

operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020

Windows 10 and the tools for agile working

20 Jan 2020
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
public sector

UK gov launches £300,000 SEN EdTech initiative

22 Jan 2020