Beginning July 1, 2019, Google will start implementing new rules for Chrome extensions in a fight against scam sites. They have announced new privacy protections for extensions and new Drive API rules as part of Project strobe. A push to pursue action and improvement for user privacy and security. There has been an ongoing trend among extension developers where they ask for a lot of permissions. They then abuse the permissions by either not using them or using them for malicious purposes.
Currently, there are more than 180,000 extensions available for users to install in the Chrome Web Store. Extensions are available for ad blocking, to-do lists, or finding the best deals. With over half of all Chrome user’s installing extensions, it is crucial to protect against their privacy and data.
Two new rules were announced by Google in an attempt to eliminate permission grabbing extensions. First, all extensions will be required to only request data that is needed based on their features. Further, developers will need to use permissions in a way that accesses the least amount of data. Second, Google is now requiring that all extensions that work with user provided content and personal communication, post their privacy policies. This is being implemented in an effort to increase transparency in how user data is handled, collected, used, and shared.
Further, Google plans to scan all extensions and will begin notifying developers of any changes that need to be made. Chrome is giving all developers 90 days to correct their permissions. If the rules are not followed, extensions will be removed from the Chrome Web Store and deactivated in users’ browsers.
In addition to the new permissions rules, Chrome is rolling out new Google drive API rules. These rules say that all third-party app that connect to the drive, will be restricted from viewing specific files in the drive. Only certain app will be allowed full access to users’ drives.
Contact LIFARS today for secure code review