Google no longer allows Chrome extensions using obscured code

Google announced today five new rules for the Chrome Web Store, the portal where users will download Chrome extensions. The new rules are primarily intended to prevent malicious extensions from reaching the Web Store, but also to reduce the amount of damage to customers.

No more extensions with obscured code

The first new rule announced today by Google is the readability of the code. According to Google, starting today, the Chrome Web Store no longer allows obscured code extensions.

Obfuscation is the deliberate act of creating a source code difficult to understand for humans.

This should not be confused with the minified (compressed) code. Minification or compression refers to the practice of removing spaces, newlines or reducing variables to improve performance. The reduced code can be easily de-minified, while the masked code deobfusion takes a lot of time

According to Google, about 70% of malicious Chrome extensions blocked by the company use code obfuscation.

Given that obscuring the code also adds a performance problem, Google believes that there is no benefit to using the obfuscation of the code, hence the need for Completely ban these extensions. Developers have until January 1, 2019 to remove any hidden code from their extension.

New extensions review process

The second rule implemented today by Google is a new review process for all extensions submitted to the list on the Chrome Web Store.

Google says that any extensions that require access to powerful browser permissions will be subject to what Google has called an "additional compliance check".

Preferably, Google would prefer that extensions be "limited" only to the permissions they need to perform their work, without requiring access to additional permissions as a backup of future features.

In addition, Google also stated that an additional compliance check would also be triggered if the extensions were using remotely hosted code, a sign that developers wanted to be able to change the code they delivered to users at the time of the release. Run, possibly to deploy malicious code. . Google has indicated that such extensions would be subject to "continuous monitoring".

Permissions per site

The third new rule will be supported by a new feature that will land in Chrome 70, which should be available this month.

With Chrome 70, Google indicates that users will have the ability to restrict extensions to only certain sites, preventing potentially dangerous extensions from running on sensitive pages, such as e-banking portals, web crypto wallets. or the inboxes.

In addition, Chrome 70 may also limit extensions to a user's click, which means that the extension will not run on a page until the user has finished. did not click a button or menu option in Chrome.

Two-step verification required

The fourth new rule does not apply to extensions themselves, but developers extensions. Due to the large number of phishing campaigns that have taken place over the past year, starting in 2019, Google will ask all extension developers to use one of the two-step verification mechanisms (SMS , authenticating) of Google. app or security key).

With 2SV enabled for accounts, Google hopes to prevent hackers from taking over developer accounts and pushing malicious code to legitimize Chrome extensions, damaging both Chrome's extension and credibility.

Just today ZDNet reported on one of these latest phishing campaigns targeting developers of Chrome extensions.

New manifest v3

The fifth and final list is a new guideline for creating manifest.json files. These files are used to contain instructions on how Chrome should process and interact with the extension.

Version 3 of this new Manifest directive will be introduced in 2019, and Google wants extension developers to be ready before deployment.

Changes to Manifest v3 are related to new features added to Chrome 70, specifically new mechanisms granted to users to control extension permissions.

Google's new Web Store policy reinforces the security measures the browser has taken to secure Google Chrome in recent years, such as prohibiting the installation of extensions hosted on remote sites or out-of-process iframes to isolate a part sites. the extension code of the page on which the extension is executed.

Related coverage: