Google is blocking all Chrome extensions not downloaded from its sanctioned Web Store. Not only will installations be blocked, but even existing extensions in your browser may be removed if not approved.
The action is likely in response to the realization that their support for extension development is becoming increasingly abused for malware. According to their blog post:
“From now on, to protect Windows users from this kind of attack, extensions can be installed only if they’re hosted on the Chrome Web Store. With this change, extensions that were previously installed may be automatically disabled and cannot be re-enabled or re-installed until they’re hosted in the Chrome Web Store.”
The issue was relevant for Bitcoin-related apps like KryptoKit, which recently went through a nail-biting experience when it was inexplicably removed for download and from browsers for “unspecified ToS violations”, only to be reinstated hours later. The action angered and concerned many who couldn’t access their extension-based bitcoin wallets. Google later clarified that the removal was a security precaution. A malware developer hoping to steal private keys developed a malicious extension based off the KryptoKit codebase. In detecting the malware, Google inadvertently removed even the legitimate version. When the issue came to light, KryptoKit was reinstated.
Tales from TIOmarkets: Not Just Another Trading CompetitionGo to article >>
Google’s new policy should pre-empt such occurrences in the future.
Perhaps a bigger challenge will be the policing of the Google Play Store for Android Apps. Google had to remove several apps posing as novelty wallpaper which covertly mined bitcoins on mobile devices. These apps came right from the Play Store, not a 3rd party. According to one study, the incidence of malicious apps introduced to the Play Store increased 388% between 2011 and 2013. Google currently uses “Google Bouncer” as an automated tool to block repeat offenders.
For developers looking to develop bitcoin-related extensions and concerned about potential inconvenience caused by Google’s policy, they write:
“For developers, we’ll continue to support local extension installs during development as well as installs via Enterprise policy. And if you have a dedicated installation flow from your own website, you can make use of the existing inline installs feature.”