Why it matters: The data collection scandal that struck Facebook last year is having a wide-reaching impact on the tech industry as a whole, and in a positive way. People are more conscious about protecting their personal data and that is forcing companies to rethink the level of access that developers have to customer information.
Google last year announced Project Strobe, a root-and-branch review of third-party developer access to Android device and Google account data. The search giant has already implemented multiple new policies and is now turning its attention to Chrome.
Moving forward, Google is requiring that extensions only request access to data needed to implement their features. In the event that more than one permission could be used to implement a feature, the dev will need to use the permission that accesses the least amount of data.
This behavior has always been encouraged by developers, said Google fellow and VP of engineering, Ben Smith, but now, it is a requirement for all extensions.
Browser extensions have become a growing attack vector for phishing and social engineering. As Atif Mushtaq, CEO of cybersecurity firm SlashNext, highlights, many attacks are born out of legitimate extensions that are later updated with malicious code.
“This exact scenario happened when Particle – a Chrome extension for enhancing YouTube – was sold to a new developer after the original author planned to abandon the extension due to incompatibilities with a soon to be released updated YouTube UI.”
As Mushtaq recounts, the new developer converted the extension to adware a couple of days after the purchase and sent out an update requesting two intrusive permissions to access data that the extension didn’t need or have any reason to use.
Thanks to changes brought about by Project Strobe, it should be harder for extensions – both legitimate ones and those that go rogue – to collect such personal data.