Google to no longer allow Chrome extensions that use obfuscated code

Google publishes new rules for extensions and the Chrome Web Store.

Google announced today five new rules for the Chrome Web Store, the portal where users go to download Chrome extensions. The new rules are primarily meant to prevent malicious extensions from reaching the Web Store, but also to reduce the amount of damage they do client-side.

No more extensions with obfuscated code

The first new rule that Google announced today is in regards to code readability. According to Google, starting today, the Chrome Web Store will no longer allow extensions with obfuscated code.

Also: Top Google advertising exec departs

Obfuscation is the deliberate act of creating source code that is difficult for humans to understand.

This should not be confused with minified (compressed) code. Minification or compression refers to the practice of removing whitespace, newlines, or shortening variables for the sake of performance. Minified code can be easily de-minified, while deobfuscating obfuscated code takes a lot of time

According to Google, around 70 percent of all the malicious Chrome extensions the company blocks use code obfuscation.

Since code obfuscation also adds a performance hit, Google argues there are no advantages in using code obfuscation at all, hence the reason to ban such extensions altogether. Developers have until January 1st, 2019 to remove any obfuscated code from their extension.

New extensions review process

The second rule Google put into place today is a new review process for all extensions submitted to be listed on the Chrome Web Store.

Google says that all extensions that request access to powerful browser permissions will be subjected to something that Google called an "additional compliance review."

Preferably, Google would prefer if extensions were "narrowly-scoped" --asked for only the permissions they need to do their job, without requesting access to extra permissions as a backup for future features.

Also: How to get your broken Pixel phone repaired by Google TechRepublic

Furthermore, Google also said that an additional compliance review will also be triggered if extensions use remotely hosted code, a sign that developers want the ability to change the code they deliver to users at runtime, possibly to deploy malicious code after the review has taken place. Google said such extensions would be subjected to "ongoing monitoring."

Per-site permissions

The third new rule will be supported by a new feature that will land in Chrome 70, set to be released this month.

With Chrome 70, Google says users will have the ability to restrict extensions to certain sites only, preventing potentially dangerous extensions from executing on sensitive pages, such as e-banking portals, web cryptocurrency wallets, or email inboxes.

Furthermore, Chrome 70 will also be able to restrict extensions to a user click, meaning the extension won't execute on a page until the user clicks a button or option in Chrome's menu.

new-fine-grained-controls-for-chrome-extensions.png
Image: Google

Required 2-step verification

The fourth new rule is not for extensions per-se, but for extension developers. Due to a large number of phishing campaigns that have taken place over the past year, starting with 2019, Google will require all extension developers to use one of the two-step verification (2SV) mechanism that Google provides for its accounts (SMS, authenticator app, or security key).

With 2SV enabled for accounts, Google hopes to prevent cases where hackers take over developer accounts and push malicious code to legitimate Chrome extensions, damaging both the extension and Chrome's credibility.

Just today ZDNet reported on one of these latest phishing campaigns that have targeted developers of Chrome extensions.

New Manifest v3

The fifth and final list is a new guideline for the creation of manifest.json files. These files are used to hold instructions for how Chrome should treat and interact with the extension.

Version 3 of this new Manifest guideline will be introduced in 2019, and Google wants extension developers to be ready in advance of the rollout.

Also: Google Pixel 3 squeezy tease video hints at Active Edge CNET

The changes to Manifest v3 are related to the new features added in Chrome 70, and more precisely to the new mechanisms granted to users for controlling the extension permissions.

Google's new Web Store rules come to bolster the security measures that the browser maker has taken to secure Chrome in recent years, such as prohibiting the installation of extensions hosted on remote sites, or the use of out-of-process iframes for isolating some of the extension code from the page the extension runs on.

Related stories: