Google Chrome will strictly review extensions to improve security from next year
From time to time, Google Chrome Store and Play Store are found to have malicious programs or hijack users or collect information.
In response to this situation, Google is preparing to start a more rigorous review extension of security mechanisms next year, while enabling two-step verification of developer accounts to prevent theft.
The most common code confusing for malware developers will also be excluded, although code obfuscation techniques help regular developers encrypt their applications.
Here are a few specific Google measures:
1. Allow the developer account to set up a 2-step verification login. Each time the developer logs in to his extension’s background management interface, you need to enter the 2-step verification code.
In the past few years, there have been many cases of the hijacking of developer accounts by hackers. The primary way is to trick passwords through phishing websites.
If the hacker successfully obtains the developer account and password, it will immediately update the extension program, including the backdoor program to hijack the user or pop up the phishing website.
After enabling 2-step verification, even if the hacker successfully obtains the developer account and password through the phishing website, it will not be able to successfully log in to the background panel to upload the malicious version.
2. Developers are prohibited from using obfuscation techniques in the underlying encoding, while more rigorously reviewing extensions that need to invoke external components of the browser.
Code obfuscation technology has initially been a technique used by developers to protect their code. The confused code is more difficult to read and prevent it from being stolen.
But more and more malicious extensions use code obfuscation techniques to evade analysis by Google and external researchers so that they can survive long after being put on the shelves.
According to Google’s official browser, more than 70% of malicious extensions use code obfuscation techniques, so code confusing is prohibited to detect malicious extensions faster.
3. Strictly extend the permissions control of the program. The extensions require which permissions must be specified and allow the user to review the extension permission calls each time. This initiative is primarily to prevent specific rogue extensions from collecting user history information or collecting other information without the user’s consent to invoke permissions.
For extensions that need to call special permissions, Google will allow the user to set a query each time, that is, each time the extension needs to be called, a popup prompt is required.
Rather than clicking on it once and agreeing, there will be no more pop-up notifications, and users will not be able to remember what some extensions collect information.
