After years of issues with rogue Chrome extensions , hijacks, and malware, Google announced a slew of new policies Thursday to ensure the little browser applets are secure. The improvements come as part of a wider company push to evaluate how much user data third-party applications can access. Google launched the audit, known as Project Strobe, in October alongside an announcement that Google+ had suffered data exposures and would be shuttered.
Later this year, Google will begin requiring that extensions only request access to the minimum amount of user data necessary to function. The company is also expanding its requirements around privacy policies: Previously, only extensions that dealt with personal and sensitive user data had to post the policies, but now extensions that handle personal communications and other user-generated content will need to articulate policies, as well. Google says it is announcing these changes now so developers have time to adapt before the new rules take effect this fall.
Lily Hay Newman covers information security, digital privacy, and hacking for WIRED.
"To make this ecosystem successful, people need to be confident their data is secure, and developers need clear rules of the road," Google Fellow and vice president of engineering Ben Smith wrote on Thursday. "There are more than 180,000 extensions in the Chrome Web Store, and nearly half of all Chrome desktop users actively use extensions.… Last October, we shared our intention to ensure that all Chrome extensions are trustworthy by default. Today, as part of Project Strobe, we’re continuing that effort with additional Chrome Web Store policies."
Project Strobe has also tightened developer access to Gmail data, and on Thursday Google expanded those protections to constrain third-party access to Google Drive.
Google is known for robust account security, but its open ecosystems on Android and Chrome can present problems . Third-party app and Chrome extension developers don't always build their software with user security best practices in mind, potentially exposing user data. And rogue developers can exploit the open system to sneak malicious apps into Google Play or simply distribute their nasty Chrome extensions and apps outside of Google's protected channels.
Some users may be surprised that privacy policies and minimal data access weren't already requirements for all Chrome extensions. Google says that it had strongly encouraged developers to take these steps before making them mandatory. But the slow pace of improvements for Chrome extension security has become a real industry concern as problems continue to crop up with the unassuming applets.
"It's as if Google assumes all Chrome extensions are malicious, but they run the store anyway," says Matthew Green, a cryptographer at Johns Hopkins University. "I feel like Google treats their extensions like radioactive waste. Maybe they are."
- My glorious, boring, almost-disconnected walk in Japan
- What do Amazon's star ratings really mean?
- Moondust could cloud our lunar ambitions
- As social VR grows, users are the ones building its worlds
- Bluetooth's complexity has become a security risk
- 🏃🏽♀️ Want the best tools to get healthy? Check out our Gear team's picks for the best fitness trackers , running gear (including shoes and socks ), and best headphones .
- 📩 Get even more of our inside scoops with our weekly Backchannel newsletter