Are chrome extensions saved securely? How can I encrypt them? - google-chrome

I have been developing a chrome extension and now I want to create version 2 with database support. For this I am going to use Firebase.
I need to create a file in my extension where I add the details about the firebase connection, api key and url etc..
After reading this question: Where does Chrome store extensions?
I went to look for mine. and boom there it was. I could open the files for the extensions and see the details I added about my firebase connection.
However, I am unsure as to whether I could see it because I am the developer and its on my machine. I do not like the idea of having my access keys available nor url.
Not that I think anyone would sabotage it, but I would hate to be billed for over usage of my requests etc..

Related

Saving files on local machine by Chrome app

My chrome app needs to save a file with human-readable or standard format such as SQLite (It should be readable outside Chrome).
Is there any API suitable for this purpose?
Some files with .localstorage extension (SQLite format) are in Chrome\User Data\Default\Local Storage folder. Is it possible to create such files by the app?
Edited: The app should not ask user for extra permission.
Thanks for your consideration.
chrome.fileSystem API is what you need.
You will need to ask the user at least once where to save the file, but then you can retain the entry to write again to the same file/folder.
There is no way around asking the user to "escape the sandbox".
You'll want to use the Quota Management API. This is per-origin storage, and you request specific amounts of quota.
It sounds like you also want your users to open the files directly? There's an HTML5 filesystem explorer Chrome app that you can use. It'll show you the files, and you can figure things out from their URLs (e.g. I'm currently using filesystem:http://localhost:8000/temporary/bar for a local experiment).
Or are you looking for something more user friendly? I think you have to use file save in that case, the same way Google Drive does.

Can chrome extension modify a file in our hard drive?

I am making a chrome extension which needs to add/delete/modify file in any location in our hard drive. The location can be temporary folder. How is it possible to make it. Please give comments and helpful links which can lead to me have this work done.
You can not, but adding a local server (nodejs/deno/cs-script/go/python/lua/..) to have a fixed logic (security) to do file stuff and providing a http server to answer back in an ajax/jsonp request would work.
The extension will not be able to install the software part.
edit: if you want to get started using nodejs, this could help
edit2: With File and Directory Entries API (this could help) you can get hold of a FILE OR complete FOLDER (getDirectory(), showDirectoryPicker()).
Thankfully, this is impossible.
Google or any other company wouldn't have many friend if their extension(s') installation caused compromise including complete control over any files(ie. control over machine) on your hard drive. The extension can save information to disk in a location that is available for storing local information as mentioned. You will not have any execute permission on the root or anywhere nor will you have any read or write permission outside of the storage location.
However, extensions can still be malicious if they gather information from a user of a web page (I am sure that Google can filter some suspicious extensions).
If you really need to make changes on your hard drive you can store information on a server and poll for changes with a windows client application or perhaps you can find where the storage information is kept and access it from there from a windows app.

Custom Extensions on Managed Chromebooks

I am a developer looking for the best way to set up different schools with their own custom, private extensions (ie School A should be the only one with access to Extension A). Theoretically, I am aware that there are a few ways to get a custom, private extension pushed out on a domain:
Host the .crx on a server and click "Specify a Custom App" in the management console.
Create a Domain App by uploading a zip to the Chrome Web Store
Upload the extension from my developer account to the Chrome Web Store and publish to a single "trusted tester," or make it unlisted
Option (1), hosting the .crx, has not been working. I am not sure why, but the extension is simply not pushing out. I link directly to the crx file, which has the right ID and MIME type, still, no dice. If anyone has any tips or suggestions for getting this to work, I would love to hear them!
Option (2), having the school create a domain app, seems a bit inefficient because it requires all schools to upload their own zip. So essentially I would have to email a zip file to the school, and have them publish it. All updates to the extension will also require a similar process, so this doesn't seem ideal.
I doubt that option (3) would work. If I published to the admin as a "trusted tester", I don't think that the other people in the domain would be able to access it. If it is unlisted, I do not know how an admin could find it in the Chrome Web Store dialog. Also, I would rather avoid security through obscurity.
Has anyone had success with hosting the extension and using the Specify a Custom App feature? Any other suggestions for getting a Custom Extension pushed out by the management console? Thanks so much!
To get option (1) working from the management console, it is important to specify the correct extension id and a valid update xml url (not a crx).
One useful feature Google offers that you can use is getting the extension id and the version from the update request.
For instance, you can create a update.php file that outputs an xml file specific to each extension and version. See http://developer.chrome.com/extensions/autoupdate.html under "Advanced Usage".
For more info on packaging an app or extension for managed chromebooks, see https://support.google.com/chrome/a/answer/2714278?hl=en.

Cloud Storage Download Appears to Be Malicious

I uploaded a utility in the last few days to google cloud storage.
It's a zip file containing two executables and a readme file.
I tested the download and it worked fine. I then looked into how I could see the download stats and yesterday I enabled logging.
I posted the link to a mailing list this afternoon and clicked it to verify that I had the right link and the download in chrome reports "xxx.zip appears to be malicious".
This did not happen prior to when I enabled logging, but I don't know for sure that is what caused it.
I am using a CNAME alias for the download, and I am a paying google apps customer.
The executables are not malicious in any way. They are simple utilities for doing replacements in text files. They do not access the network at all.
My question is "Why is my zip file being reported as malicious?" and is there any way to remedy this situation?
I looked around for a solution to this problem and I found the following advice:
1) Sign your EXEs. As it turns out, this advice is incorrect. While it has worked for some people, there are people who report that even signed executables are reported as malicious downloads.
2) Use SSL. SSL access is not available for google cloud storage unless you use the commondatastorage.googleapis.com or sandbox.google.com URLs. While this does might work, it doesn't resolve my problem.
3) Use the commondatastorage.googleapis.com URL. This works. The same file using the commondatastorage.googleapis.com url rather than my custom CNAME record does not report that it "appears malicious".
4) Register your site with Google Webmaster Tools. Getting around Chrome's Malicious File Warning According to this stackoverflow entry, the solution is to sign up for Google Webmaster Tools and add your site.
I have tried this one, but it has not made a change just yet. Because this is google cloud storage and not a main site, I added an index.html page, a 404 page, and ran the gsutil commands to enable web configuration within google cloud storage. I added the site to Webmaster Tools and additionally added it to Google Analytics.
I'll give solution 4 a few days to see if it pans out.
It seems like this is more of an issue with Google Chrome and not necessarily Google Cloud Storage. Chrome's methods for identifying malicious files are less than desirable right now.

Storage of passwords in Google Chrome Extension

I started reading Google Chrome's documentation, and liked it's approach of using HTML and Javascript to create extensions. Reading this tutorial about Local Storage made me think about a lot of different uses.
I want to develop an extension to help me with corporate systems. It's very specific, and it's only going to be used inside a company.
This extension would do some activities to this corporate system, using javascript DOM, with just one click on Google's Chrome toolbar. To work with just one click, the extension needs to store a password in Chrome: so if you restart your system, you don't need to enter it again.
How do I do that? Persist a password in a Google Chrome extension to login to another system? I don't want to store it in "plain text", I would like to at least use some kind of encryption (maybe a Google Chrome API with this resource).
Is it possible? How do I persist this data with Google Chrome's extensions structure (best way)?
You could encrypt and store a user’s password with localStorage (or the Web SQL Database API). But not very securely. Anyone who gained access to the user’s computer could retrieve the ciphertext, pluck the encryption algorithm out of your extension source, and determine the plaintext password.
If feasible, here are a couple more bulletproof solutions:
Piggyback on the user logging into a web interface. For an example, see the Google Mail Checker.
Connect to the services through OAuth (or a similar authorization scheme). For an example, see the Google Wave Notifier.