In a blog post Monday, Google's manager of Chrome extensions, James Wagner, outlined some policy changes for extensions offered in the Google Chrome Web Store. He wrote:
"We've recently taken a number of steps toward improved extension security with the launch of out-of-process iframes, the removal of inline installation, and significant advancements in our ability to detect and block malicious extensions using machine learning."
The changes seem to have the goal of narrowing permissions for extensions, and also making the purpose of extensions more transparent. At least one of the changes will likely reduce the incidents of cryptojacking, a problem the Chrome Web Store has previously grappled with.
In April, Wagner announced the store was banning all crypto mining extensions. Prior to that, mining extensions had been allowed, but only if users were adequately informed of the extension's intent and mining was the extension's single, express purpose. He wrote then, "Unfortunately, approximately 90% of all extensions with mining scripts … have failed to comply with these policies, and have been either rejected or removed from the store."
The recent policy update says that extensions with obfuscated code will no longer be allowed in Chrome Web Store. Obfuscation conceals the source code of an extension, making it possible to hide functionalities, possibly malicious ones, such as those that could be used for cryptojacking, from the users who download the extension. Wagner writes:
"Today over 70% of malicious and policy violating extensions that we block from Chrome Web Store contain obfuscated code. At the same time, because obfuscation is mainly used to conceal code functionality, it adds a great deal of complexity to our review process."
While code obfuscation can be used to hide the real intent of a piece of malicious software, it does have a legitimate purpose of preventing a piece of code from being copied, thereby protecting a developer's intellectual property. However, Google no longer believes this protection is effective enough to justify the possible dangers of obfuscation. According to Wagner:
The post says that developers may continue to update extensions with obfuscated code for the next 90 days. However, all extensions must comply with the new requirements by January 2019.