Google on Thursday announced plans to tighten its requirements for developers of Chrome extensions and apps that utilize the Drive API as part of a previously announced re-evaluation of third-party access to Google user data.
The Chocolate Factory said that in the fall Chrome extensions will only be allowed to request the narrowest possible permissions to implement app functions, a change intended to preclude the sort of unrestrained data harvesting evident in Facebook's Cambridge Analytica scandal.
Concern about Facebook-scale victimization at the hands of disingenuous app devs led Google to enact Project Strobe, an audit of developer API access that put the final nail in the Google+ coffin last year.
The permission limitation, implemented as a Chrome Web Store policy, echoes similar measures that have been applied to Android and Gmail developers. For example, it will prevent a developer from creating a Chrome extension that declares the "bookmarks" permission in order to have access to the
chrome.bookmarks API if the plug-in app has no legitimate need to access that data.
Early next year, the Drive API will fall under the same rules applied to the Gmail API back in January. For developers with apps that utilize restricted scope APIs and also store data outside of Drive (e.g. Google Cloud, Firebase, or an external server), a security assessment will be required that "may cost between $15,000 and $75,000 (or more) depending on the complexity of the application."
G Suite'n'sour: Google resets passwords after storing some unhashed creds for months, yearsREAD MORE
As with Gmail app developers, some small startups may not be able to afford the cost of compliance.
"Our top priority is to protect user data and keep it safe, while continuing to enable developers to build features that people want and need," explained Ben Smith, VP of engineering, in a blog post.
"As we continue the work of Project Strobe, we’ll also work with our developer partners to give them appropriate time to adjust and update their apps and services."
The Chrome Web Store policy changes and Drive API restrictions occur amid a related API rethink for the Chrome Extensions platform called Manifest v3. Google insists the goal is "to create stronger security, privacy, and performance guarantees." And certainly, its extension platform would benefit from all of those.
Among a variety of other changes Google has in mind, the biz is limiting the
webRequest API – a move developers claim will limit content blocking capabilities. A replacement is planned, the
declarativeNetRequest API, which will provide a way for apps to interface with Chrome without the arguably dangerous level of access to network requests enabled by the
It's a controversial modification because Google failed to get buy-in before previewing changes that affect its developer community. Also, it raises eyebrows when an ad company proposes changes that break ad blockers and privacy extensions without any commitment that these apps can be adapted to the new regime. ®