Ruslan Grumble - Fotolia

Can Google's Chrome extension policy improve Web security?

The updated Chrome extension policy allows users and developers to only install extensions from the Chrome Web Store. Learn how this affects security and enterprise apps.

Google announced a new Chrome extension policy that only allows users and developers to install extensions from...

the Chrome Web Store. Is this a good move that will improve security? What affect will this have on future apps?

Google Chrome extensions are small software programs that can customize and enhance the functionality of Google Chrome. Users can download them from the extensions gallery of the Chrome Web Store -- the online marketplace for Chrome apps, extensions and themes. While the extension platform unlocks powerful features that can increase the browser's functionality, it can also be abused by malware writers to capture user data, display ads or redirect users to malicious sites.

Prior to this latest policy update, users could install extensions directly from a developer's website. However, this installation method allowed malicious developers to avoid Google's automated review process -- which Chrome Web Store extensions have to pass through -- allowing them to distribute their malware directly to unsuspecting users. Google halted the silent installation of extensions by applications installed on a user's machine some time ago, as this was another method being used to distribute malware.

In response to growing concerns about Chrome users being infected by malicious extensions, Google has made a series of changes to its Chrome extension policy. In May last year, the company introduced a Chrome Web Store-only policy for Windows users whereby only extensions hosted on the Store could be installed; developers and Mac users could still install extensions from any source. Following this change in how extensions could be distributed to Windows users, Google saw a 75% drop in customer support help requests for uninstalling unwanted extensions. Despite these policy changes, some users were still being infected by malicious extensions -- the policy was not initially enforced on the Windows developer channel, so hackers started tricking users into the developer channel in order to install their malicious extensions.

Google's new policy mandates that all Windows and Mac users -- including developers -- must install Web browser extensions from the Chrome Web Store. There is also a new application-vetting feature called Enhanced Item Validation, which runs additional checks before an extension is published in the Store and made available to users. This is aimed at preventing malicious extensions such as Webpage Screenshot, which slipped through the existing vetting process. Google is also beta testing a software removal tool, which will scan and remove software that may cause problems with Chrome.

Chrome will continue to support local extension installs during development, as well as installs that follow Chrome for Work and Education's enterprise policy. Although some extension developers have complained that these moves penalize the genuine developer by making them go through the time and trouble of submitting their extension for review, it should help make the Chrome Web Store a safer place, and if users have more confidence in software available in the store, then developers can only benefit.

Enterprises can specify a list of extensions that will be pushed silently to their users via group policy, the registry or the master_preferences file. Extensions request permissions before they are installed, and administrators should understand what data an extension will access. There are 10 different permissions, divided into three alert levels -- a high-level alert means the extension will have access to everything on a user's computer and the websites they visit. This level of access needs to be fully risk-assessed.

Ask the Expert:
SearchSecurity expert Michael Cobb is ready to answer your application security questions -- submit them now. (All questions are anonymous.)

Next Steps

Don't miss SearchSecurity's Web browser security tutorial

Learn more about Web browser extension flaws and how to mitigate plug-in threats

This was last published in November 2015

Dig Deeper on Application and platform security