A number of recent data leaks and breaches have been due to obfuscated code. The coding practice allows developers to hide malicious code in apps and they are not easily detected. Google is no longer allowing browser extensions with an obfuscated code on Google Chrome. The move will not only help prevent malicious extensions from being added to the Web Store, but it will also help reduce these extensions can do to users.
According to Google, about 70% of all malicious Chrome extensions were found with obfuscated code. Google has its own testing process for all extensions before they are approved for publishing on the Chrome Web Store. However, the extensions containing obfuscated code have not been removed yet.
All developers on the Chrome Web Store have time until January 1, 2019, to remove any obfuscated code from their extensions. Once the deadline is over, all apps that are not updated to meet Google’s guidelines will be removed.
A new review process will also be in place for all extensions that are published on the Chrome Web Store. In addition to the existing screening procedures, Google will also conduct an additional “compliance review” before allowing an app. Apps that require unnecessary permissions will not be approved until developers justify their reasoning behind seeking specific permissions that do not have anything to do with the app’s primary functionality.
Developers who want to publish extensions for the Chrome Web Store will be required to use two-step verification. It will reduce the odds of a developer account being compromised by attackers to inject malicious code into extensions. A new Manifest Guideline feature will also be added in 2019 which will allow users to control per-extension permissions for added control similar to how Android’s permissions manager works.
What do you think about the changes coming to Google Chrome? Let us know in the comments below. If you could share the article online, it would also be great so others can find it too. Come chat with us on Facebook and Twitter.