How to determine if a Google Chrome extension is safe
When it comes to online security, you can never be too careful; this guide isn't about antivirus programs, firewalls or VPNs though, as it is about Chrome extensions.
Just because an extension is on the Chrome web store doesn't mean it is safe to use. There have been many cases of malicious add-ons which have been taken down in the past after they were installed by millions of Chrome users in some cases.
Note: The guide provides additional information on checking whether Chrome extensions are (likely) safe to use. You can check out Martin's guide on verifying Chrome extensions, and there especially the part on looking at the source.
How to determine if a Google Chrome extension is safe
We will focus on steps that you may undertake before installing extensions. It is often easier to determine if an extension is shady or outright malicious if you have installed it as it may be the cause for visible unwanted changes or activity such as hijacking search engines, displaying advertisement or popups, or showing other behavior that was not mentioned in the extension's description.
Users who known JavaScript may also check the source of the extension. Check out Martin's guide linked above for information on how to do that.
Web Store page
Analyze the extension's listing and see if it rings some alarm bells. Broken grammar or English may be seen as warning signs but since developers from all over the world publish extensions on the Store, some may be written by non-English natives. Bad grammar or spelling mistakes may not be used as an indicator. Irrelevant screenshots or very odd descriptions, on the other hand are all tell-tale signs of a malicious extension. These are quite rare though.
Logos
Malware developers resort to all sorts of tricks to infect users, and one of these is to use the logo (icon) of popular brands or applications. Sometimes, people get fooled by these and think it's from the company which makes the actual software. Pay attention to the developer name and click on it to see their other extensions.
Developer's Website and Contact
Does the extension have its own web page? Visit it to learn more about it and maybe something about the developer. We recommend using a content blocker when visiting these sites to avoid issues if the site is specifically prepared to attack decvices.
Not all extensions have a web page, but most do, at least for support requests/FAQs. Is there a contact option on the Chrome web store page which lets you email the developer? If there is one it's a good sign, but an absence of one doesn't mean it's a fake extension.
Privacy Policy
This is perhaps the most overlooked one? Who reads the privacy policy? You should, because unlike website registrations or software agreements, you're not shown the privacy policy for an extension when you install it. But it may exist as a loophole for the developer to get out of a legal dispute, should one arise. You accept the policy the second you install the extension.
Use Control + F and search for words like data, collect, track, personal, etc, in privacy policies. Your browser should highlight the sentences which contain the word and you should read what it says.
If the policy is upfront about the data they collect, think about if it's worth using the extension at the cost of privacy. I'll give you a hint: It's never acceptable.
Obviously, developers and companies with ill-intent may add whatever they like to the privacy policy.
Permissions
When you click the install button, read the pop-up which lists the permissions the extension requires. Permissions may give important clues; an add-on for a visual enhancement (like a theme) shouldn't require permissions like "Communicate with cooperating websites". That means it could be sending data, your personal data, to some server.
Reviews
These are big red flags if you know how to identify legit ones. Does an extension have reviews? Are they all 5-star reviews? That's suspicious. Look at the publishing date of each review. If you find that they were all posted on the same day it may be fishy. Look at the text as well, if they look more or less the same, or if the usernames only contain random characters, alarm bells should go off and you should look deeper.
Take a look at the screenshot here. What do you see?
Did the reviewers copy/pasted the comment? It's possible, but it wasn't in this case. The extension had multiple reviews which used the same comments over and over. In fact, there was more than one review left by the same user. Is it possible the extension has hijacked the user to post these reviews? Or were they paid for? Regardless of this, I'd recommend avoiding such extensions to be on the safe side.
It may be a good idea to check whether the developer has commented on any of the user reviews. Go over the next few pages.
Search for similar extensions, watch out for the clones
The screenshot which you saw above is actually not from the original extension. I bet you weren't expecting that? It was from a clone of another extension which had a similar name, same features, slightly different description, an identical privacy policy.
It was alarming. The worst part was that the original add-on was about 2.15 MB in size while the clone was about 4.26 MB. If it was a clone, what's the extra size for? That is scary. So search the web store using similar keywords (or the name of the extension), check out the results. Look at the add-on's published date, the older one is obviously the original.
Again, if you known JavaScript, you could analyze the code to find out why the clone has a size that is nearly double the size of the original. It could be something as simple as an uncompressed image that is used as a logo or additional code that may be used for malicious or invasive practices.
Open Source
If the extension is open source, it is likely that it could be safe. But I wouldn't take it for granted. You should go to the page where the source code is published to see if it actually exists. You should also check when the last commit was made on the source code page. If the extension was updated recently, but the source code wasn't, the extension may no longer be open source and possibly open to privacy and security issues.
Search across Social networks
You could try Googling for the extension's name to see whether any issues, recommendations or reviews were posted by users on social networks. This gives you an idea of real-world usage of the extension.
If you do come across suspicious extensions, do yourself and everyone a favor, and report it to Google.
Some tips I mentioned here aren't necessarily restricted to Chrome extensions, they apply to extensions for other browsers such as Firefox as well.
I want to apologise for that screed. I’m was annoyed last night by the general state of browsers and their privacy (or lack of it) and I projected that annoyance on to you. I’m sure you’re doing your best to help users out, and here I am kicking you in the nuts for it. Sorry :-(
You should have just re-published Martin’s guide which has actionable tips rather than this bunch of vague, flawed heuristics.
Example: Your comments about the Chrome Web Store/AOM. Why even mention broken English if you’re going to contradict yourself in the next sentence? Broken English is an indicator that the person who wrote it is a non-native English writer, but not much more. Yes, it’s a useful heuristic if you get an email out of the blue, that claims to be from the FBI or tax inspectors demanding you pay a fine, but that’s not the case here. Context matters. Moreover, it carries the dangerous implication that all well written English is trustworthy.
Similarly flawed is the advice to derive meaning from reviews. As ULBoom points out, the reviews are pretty much worthless because they’re graded on a single dimension (good to bad) and the score is a simple average i.e. there’s no nuance because there is no incentive for the reviewers to be nuanced. If I want my little nit-pick about an extension to be handled quickly, a one-star review will be read far faster than a three-star review. You see the problem, right? Sure read the review but look for verifiable information, and don’t get swept up in the emotions, good or bad.
Most of your points can be picked apart because fundamentally they are only common sense rules-of-thumb, not actual ways to find evidence of nefarious intent. Even so, I’m not saying that you’re wrong in all cases. I look for many of the same things, but you’re giving people a false sense of security which is arguably worse than writing nothing. Your smell tests are a start, but they’re not the full answer. Martin’s article is far closer.
Reviews are bizarre, almost worthless in both the Chrome Store and AMO.
They seem to be either “AMAZING!!!! Best thing since water was invented!!!” or “Piece of #*&$!!!! My expensive gaming desktop LITERALLY exploded when this was installed!!!!”
Figure 1 on page 3 of this study from 2017/2018 shows the f-droid.org store for open source android apps has the lowest percentage of malware.
Source: https://nsl.cs.waseda.ac.jp/wp-content/uploads/2018/04/submitted_wama2017.pdf
PS: Getting a message that I am posting comments too quickly, for the first post I am posting in weeks.
You forgot the most important one, manifest.json file.
good one!
Good recommendations, Ashwin.
Thank you!.
I wish there was a trusty website,
Linux app/prog.
or a Chrome extension, (gasp!)
that would do a complete check/scan of
some of these safety recommendations at once.
(instead of having to visually check
every JS/JSON file of a new Chrome ext.
w/the ext. recommended by Martin, above).
This is an idea similar
to using the VirusTotal site
to scan a file, online.
A “VirusTotal” site to safety-scan
a new Chrome ext..
before you install it…
Just an idea…any opinions?.
“Permissions may give important clues.”
Article suggestion : how to grant permissions (for browser extensions, phone apps…). To this ordinary user, permissions are a crook’s tricks. Software pretends to be well-behaved and polite : it asks for permissions.
But how would you know what permissions are safe to grant ? And what if you deny them ? Sorry, we can’t provide the expected result, that was for your own good.
How would you know? Easy. Educate yourself, don’t rely on others to do the work for you.
Sorry, but this is a completely unhelpful and silly answer, and a rude one, on top of that.
Especially coming from someone who does not even bother to use a pseudonym.
‘How to determine if Google Chrome is safe’ >>> There, i fixed it for You.