Google is expanding its privacy audit to make third-party developer access to Chrome and Google Drive more secure.
To that effect, developers must rework their Chrome extensions to request only minimum permissions without compromising their functionality
“We’re requiring extensions to only request access to the appropriate data needed to implement their features,” Google outlined on its Safety and Security page. “If there is more than one permission that could be used to implement a feature, developers must use the permission with access to the least amount of data.”
Google is also requiring extensions that “handle personal communications and user-provided content” to post privacy policies in the Chrome Web Store.
The company has given extension developers 90 days to correct the permissions, failing which they risk having their extensions disabled in users’ browsers.
Google’s new policy for Chrome browser is set to officially go live later this fall. It has said it will share more details — including the exact enforcement date — over the summer.
On top of that, the search giant is announcing a similar access control policy for its file storage and synchronization service, Google Drive. It said it will be limiting “apps that use Google Drive APIs from broadly accessing content or data in Drive.” Instead, they will be required to access only the files they need.
The changes go into effect early next year, it said. The new rule is also somewhat similar what Google rolled out for Gmail last October.
The new privacy protections are part of an ongoing effort that Google calls Project Strobe. The audit was put in place last October to improve user privacy and security on Google and Android devices by reviewing third-party developer access to your data.
Strobe, for example, was pivotal in detecting a serious bug in the now defunct Google+ that exposed personal details of over 500,000 users. The initiative is also meant to tighten its policies by offering you more controls over what data third-party apps can access in Gmail, Drive, and other Google services.
Google is known for its robust account security when compared to its peers. But it also clearly recognizes that the open nature of its platform and giving third-parties access to your data can be a security loophole.
In addition, not all developers build their apps with security practices in mind. By doing so, they are unintentionally exposing your data to rogue parties. The changes announced Thursday will go a long way towards addressing those concerns.