Thursday, 26 May 2011

Chrome app security model is broken

I’m worried. I’m worried for a lot of users who’ve installed Chrome Apps. I was idly browsing the Apps in the Chrome web store the other day and came across the popular Super Mario 2 app on the front page (over 14k users). I have to admit, I actually installed the app (extension) myself, so let me explain the user (and security) experience.

I saw the big splash screen for the flash game and thought I’d give it a try. There is a big install button (see picture). Installation is pretty instantaneous. As I looked at the screen, I saw the box to the bottom right. “This extension can access: Your data on all websites, Your bookmarks, Your browsing history”. I think I can legitimately give my mental response as “WTF!?! This is a game! What does it need access to all this for?”. I then immediately took steps to remove the app.

Removing the app

So, disabling and removing the app was not as straightforward as you would think and this was also quite annoying. The Chrome web store also includes ‘extensions’ to Chrome (the extensions gallery). These are not easily visible to a user as to where they’re installed. In fact, you have to go to the settings->tools->extensions to do anything about it. The normal installed Chrome apps are listed when you open a new tab (ctrl-t), but this is not the case for extensions.

Permissions by default

Having removed the app, I set about investigating precisely what I had exposed this app to and the implications. Under the “Learn more” link, I found a full description of permissions that could be allowed by an application. I had to cross-reference these back to what the app / extension had asked for. The picture below shows the permissions (expanded) for the Super Mario 2 game.

I don’t want to go into great detail about the ins and outs of what some people would term “informed consent” or “notified consent”, but the bottom line is that a hell of a lot is being given away with very little responsibility on Google’s part. After all, to the average user, the Chrome ‘chrome’ is an implicit guarantor of trust. A Google app store, the apps must have been checked out by Google, right?

I also won’t go into the top line “All data on your computer…” which installs an NPAPI plug-in which is essentially gameover in terms of access to your computer. To be fair to Google, their developer guidelines (below) state that any applications using this permission will be manually checked by Google. However, there is an implication there that the other applications and extensions aren’t.

So let’s concentrate on the permissions that are requested by the game. 

  1. The first one, ‘Your bookmarks’ allows not only reading, but modification and additions to your bookmarks. Want setting up for something anyone? A legitimate link to your bank going to a phishing site?
  2. The second item, ‘Your browsing history’ for most people is going to reveal a lot. Very quickly, a motivated attacker is going to know where you live from your searches on google maps, illnesses you’re suffering and so on. There is a note here that this permission request is ‘often a by-product of an item needing to opening new tabs or windows’. Most engineers would call this, frankly, a half-arsed effort.
  3. The third item, ‘Your data on all websites’ seems to give permission for the application to access anything that I’m accessing. Then, the big yellow caution triangle: ‘Besides seeing all your pages, this item could use your credentials (cookies) to request your data from websites’. Woah. Run that one by me again? That’s a pretty big one. So, basically your attacker is home and dry. Lots of different types of attack exist to intercept cookies which will automatically authenticate a user to a website. This has been demonstrated against high-profile sites such as twitter and facebook by using tools such as firesheep. Given that it is a major threat vector, surely Google would have properly considered this in their permissioning and application acceptance model?

It’s pretty obvious how potentially bad the Mario extension could be, particularly when this is supposed to be just a flash game. What really irks me though is the ‘permissions by default’ installation. You click one button and it’s there, almost immediately with no prompt. Now, I’m not the greatest fan of prompts, but there are times when prompts are appropriate and install time is actually one of them. It gives me the chance to review what I’ve selected and make a decision, especially if I hadn't spotted that information on a busy and cluttered webpage. I hear you all telling me that no-one reviews permissions statements in Android apps, so why would they do it here and yes, I partially agree. Human behaviour is such that if there is a hurdle in front of us and the motivation to go after the fantastic 'dancing pigs' application is sufficiently high, we'll jump over the hurdle at any cost. There is also a danger that developers will go down the route they have with facebook applications - users accept all the permissions or you don't get dancing pigs. Users will more than likely choose dancing pigs (see here for more info on dancing pigs).

The beauty of a well designed policy framework

So we're not in an ideal world and everyone knows that. I firmly believe that there is a role for arbitration. Users are not security experts and are unlikely to make sensible decisions when faced with a list of technical functionality. However, the user must be firmly in control of the ultimate decision of what goes on their machine. If users could have a little security angel on their shoulder to advise them what to do next, that would give them much more peace of mind. This is where configurable policy frameworks come in. A fair bit of work has gone on in this area in the mobile industry through OMTP's BONDI (now merged with JIL to become WAC) and also in the W3C (and sadly just stopped in the Device APIs and Policy working group). The EU webinos project is also looking at a policy framework. The policy framework acts in its basic sense as a sort of firewall. It can be configured to blacklist or whitelist URIs to protect the user from maliciousness, or it can go to a greater level of detail and block access to specific functionality. In combination with well-designed APIs it can act in a better way than a firewall - rather than just blocking access it gives a response to the developer that the policy framework prevented access to the function (allowing the application to gracefully fail rather than just hang). Third party providers that the user trusts (such as child protection charities, anti-virus vendors and so on) could provide policy to the user which is tailored to their needs. 'Never allow my location to be released', 'only allow googlemaps to see my location', 'only allow a list of companies selected by 'Which?' to use tracking cookies' - these are automated policy rules which are more realistic and easy for users to understand and which actually assist and advance user security.

Lessons for Google

Takedown - Looking at some of the comments from users on the Super Mario game, it is pretty clear people aren't happy, with people mentioning the word virus, scam etc. The game has been up there since April - at the end of May, why haven't Google done anything about it? The game doesn't seem to be official, so it is highly likely to be in breach of Nintendo's copyright. Again, why is this allowed in the Chrome web store? Is there any policing at all of the web store? Do Google respond to user reports of potentially malicious applications in a timely manner?

Permissions and Access - You should not have to open up permissions to your entire browsing history for an application to open a new tab! This is really, really bad security and privacy design.

Given what is happening with the evident permissiveness of Android and the Chrome web store, Google would do well to sit up and start looking some better solutions otherwise they could be staring regulation in the face.


I mentioned this to F-Secure’s Mikko Hypponen (@mikkohypponen) on Twitter and there were some good responses from his followers. @ArdaXi quite fairly pointed out that just to open a new window, a developer needed the to allow Chrome permission to access ‘Your browsing history’ (as discussed above). @JakeLSlater made the point that "google seem to be suggesting content not their responsibility, surely if hosted in CWS it has to be?" - I'm inclined to agree, they have at least some degree of responsibility if they are promoting it to users.

I notice that Google seem to have removed the offending application from the web store too. I think this followed MSNBC's great article 'Super Mario' runs amok in Chrome Web app store after they picked up on my link through Mikko. I think it may be fair to say that the extension has been judged malicious.


  1. I enjoyed reading this article. I do like how Google is promoting security and setting a standard that others in their business need to adopt. For example, their recent implementation of two-factor authentication was a major step in the right direction, and something that all companies providing Web based services need to be doing.

    However, one area they have dropped the ball in is apps for Android and Chrome. For one, the permissions of apps needs to be much more granular. It shouldn't be "this app needs to open a tab so we're going to allow it to access your entire browsing history." I just don't get that.

    Also, I think every app should be reviewed by individuals. I have a hard time believing that a company the size of Google can't hire a few people to review apps. If they don't want to do that then they need to start putting limitations on what apps can do.

    I understand that reviewing every app may be an unrealistic goal, so perhaps they could have a process in place for white listing companies that complete a validation process or are considered reputable. But if it is an app written by an individual or an unknown company then it needs to be reviewed--at least with the current structure of apps where they are allowed to virtually roam free once they have been installed.

  2. I also enjoyed reading this artical i like to get hold of stuff like this then facebook people that i know will be helped with this stuff i dont want any one to get harm i know what it do if you get any viruses on a PC or notebook i wish the people that do i would see that they dont just kill big companys but small people to some times you loose information that you need

  3. OMG! I'm little scared to see this as I have a habit of installing all the extensions available on chrome store. I just thought that these extensions were checked before getting uploaded. Thanks for sharing your experience so that many people can be aware of installing them. Keep posting.
    For more: torontowebdesign company

  4. Hello,great post.I have little bit.I was having such a great amount of issue with a message in Fire Fox "not responding" that I moved over to Chrome.The thing is I now get the same message then the notice that Identity safe has crashed.I suspect that its the same issue on FF yet Chrome is providing for me better notifications of the reason.So NIS is crashing in Chrome -yellow bar with black puzzle piece.Thank you.
    hidden object game online

  5. i have been using google chrome since last 3 years. Never had a problem other then once in while the shockwave plug in freezes.

    Sameer from CouponDadi, India's No.1 Coupon Website

  6. Hi! Given what is occurring with the obvious tolerance of Android and the Chrome web store, Google would do well to sit up and begin looking some better arrangements else they could be gazing regulation in the face. Thanks all!!!
    Visit apps page

  7. The learning lab is providing the best Maths and
    The Learning Lab and if you are looking for maths tutor for your child contact us now!

  8. Thanks a lot for sharing. Will check back later for more of your articles.Coach Hire UK

  9. Really your post is really very good and I appreciate it. It�s hard to sort the good from the bad sometimes, but I think you�ve nailed it. You write very well which is amazing. I really impressed by your post Seagrove Beach real estate

  10. She will succeed Kathleen Merrigan in the second-highest post at USDA. Harden has served as Secretary Tom Vilsack’s chief of staff and assistant secretary for congressional flowers

  11. Thank you for the hard work you have made in writing this post. In the future I am hopeful the same best work from you as well. Actually your creative writing abilities has motivated mehalong tours from hanoi

  12. Afer looking at a few of the blog articles on your blog, I seriously appreciate your way of writing a blog. I bookmarked it to my bookmark site list and are checking back in the near future. Take a look at my web site too and tell me your opinion.
    Amazon India Coupons
    Snapdeal Coupons
    Zivame Coupons
    Purplle Coupons
    Flipkart Coupons
    Voxpop Coupons

  13. Why, because economical dedication techniques are there to enhance your advantage. That is the whole purpose of a economical dedication. If you are looking to invest less on seo in the online industry, then you are in the incorrect area. my link

  14. Thank you for a real good article in this article. My partner and i seemed to be seeking something like this particular for a reasonable time and now I’ve identified that on your own web camp blog

  15. Nice story you share with us.I read it and share with my online friends. I will only say thankful to you for sharing this and I also like this website. keep it up,sonic 2016

  16. That is definitely something new for me. Thanks for sharing. I love the idea. The word baristas though does not sound very appealing to me. Either way, thanks again, I appreciate the post. jual rumah batununggal indah bandung

  17. The learning lab is providing the best Maths School Sydney and English tutor in Sydney and if you are looking for maths tutor for your child contact us now!

  18. Wonderful beat ! I would like to apprentice while you amend your website, how could i subscribe for a blog web site? The account aided me a acceptable deal. I had been tiny bit acquainted of this your broadcast offered bright clear idea.Mybustickets Coupons

  19. This comment has been removed by the author.

  20. After reading this post I managed to get some very unique information which have been really very helpful for any individual. This is usually a post having some crucial information. usefultravelsite

  21. Wonderful bolg post. really loved it!!!After looking at a few of the blog articles on your blog, I seriously appreciate your way of writing a blog. I bookmarked it to my bookmark site list. Paytm Coupons

  22. Malware can change how browsers work by noiselessly installing extensions on your machine that do things like infuse ads or track you're browsing activity.On the off chance that you see peculiar ads,broken web pages or drowsy browsing in the wake of installing some new software or plugins,you could be influenced.

    Android apps locker free