Google Tightens Rules For Chrome Extension Developers

In a blog post Monday, Google’s manager of Chrome extensions, James Wagner, outlined some policy changes for extensions offered in the Google Chrome Web Store. He wrote:

“We’ve recently taken a number of steps toward improved extension security with the launch of out-of-process iframes, the removal of inline installation, and significant advancements in our ability to detect and block malicious extensions using machine learning.”

The changes seem to have the goal of narrowing permissions for extensions, and also making the purpose of extensions more transparent. At least one of the changes will likely reduce the incidents of cryptojacking, a problem the Chrome Web Store has previously grappled with.

In April, Wagner announced the store was banning all crypto mining extensions. Prior to that, mining extensions had been allowed, but only if users were adequately informed of the extension’s intent and mining was the extension’s single, express purpose. He wrote then, “Unfortunately, approximately 90% of all extensions with mining scripts … have failed to comply with these policies, and have been either rejected or removed from the store.”

The recent policy update says that extensions with obfuscated code will no longer be allowed in Chrome Web Store. Obfuscation conceals the source code of an extension, making it possible to hide functionalities, possibly malicious ones, such as those that could be used for cryptojacking, from the users who download the extension. Wagner writes:

“Today over 70% of malicious and policy violating extensions that we block from Chrome Web Store contain obfuscated code. At the same time, because obfuscation is mainly used to conceal code functionality, it adds a great deal of complexity to our review process.”

While code obfuscation can be used to hide the real intent of a piece of malicious software, it does have a legitimate purpose of preventing a piece of code from being copied, thereby protecting a developer’s intellectual property. However, Google no longer believes this protection is effective enough to justify the possible dangers of obfuscation. According to Wagner:

“Since JavaScript code is always running locally on the user’s machine, obfuscation is insufficient to protect proprietary code from a truly motivated reverse engineer. Obfuscation techniques also come with hefty performance costs such as slower execution and increased file and memory footprints.”

The post says that developers may continue to update extensions with obfuscated code for the next 90 days. However, all extensions must comply with the new requirements by January 2019.

Tim Prentiss is a writer and editor for ETHNews. He has a master’s degree in journalism from the University of Nevada, Reno. He lives in Reno with his daughter. In his spare time he writes songs and disassembles perfectly good electronic devices.

Like what you read? Follow us on X @Bitnewsbot to receive the latest Google Chrome, cryptojacking or other Ethereum technology news.