Google is clamping down on the Chrome Web Store’s spam and security issues

Google is clamping down on the Chrome Web Store’s spam and security issues

Google has had almost as many problems with the Chrome Web Store as with the Play Store. The store, which hosts both extensions for the Chrome web browser and legacy Chrome ‘apps’ (some of which are little more than bookmarks), has had many issues over the years with malware and untrustworthy developers. Google is now starting to enforce a few additional rules for Chrome Web Store developers, which should cut back on spam and some security problems.

Google said in an email to Chrome Web Store developers, “Over the years we’ve made a number of product and policy improvements to help ensure that people feel safe when installing extensions on the Chrome Web Store. As part of this work, we’ve updated best practices, and named undesirable behaviors in key areas like security and trust. Today we’re further clarifying three policies to keep the quality of extensions high, and the experience for developers consistent.”

The new policies are mostly aimed at reducing deceptive tactics. Offering multiple extensions as part of the same installation flow is not allowed, and extensions can’t upsell other extensions or apps. For example, a harmful extension could prompt you to install a different extension, so if you ever delete the first one, you might not think to also delete the second extension (which could be could continue collecting data or other harmful practices). Google is also banning developers from publishing multiple extensions “with highly similar functionality, content, and user experiences.”

Finally, Chrome Web Store developers are required to enable two-step verification on their Google accounts. This should cut down on instances of developer accounts being hacked, which in turn could allow hackers to submit malicious updates to existing extensions (or transfer control of extensions to another Google account). Google just enacted the same rule for Google Play developers, and Mozilla began requiring Firefox add-on developers to use two-factor authentication in March of this year.

Original Email

Dear Developer,

We are announcing a set of policy clarifications designed to better define existing policies and address new forms of abuse.

Over the years we’ve made a number of product and policy improvements to help ensure that people feel safe when installing extensions on the Chrome Web Store. As part of this work, we’ve updated best practices, and named undesirable behaviors in key areas like security and trust. Today we’re further clarifying three policies to keep the quality of extensions high, and the experience for developers consistent:

Deceptive Installation Tactics Update:

  1. Offering multiple extensions as part of the same installation flow isn’t allowed. Similarly, extensions can’t disruptively upsell other extensions or apps. Such behaviors violate our Deceptive Installation Tactics and Notification Abuse policies.
  2. The set of functionalities promised by extensions must be stated clearly and in a transparent manner. All principal and significant features of your extension must be clear to the user and not buried in unrelated text.
  3. The outcome of any user interaction should match the reasonable expectations that were set with the user.
  4. Requiring unrelated user action to access advertised functionality is not allowed.

Spam and Repetitive Content:

  1. Multiple extensions with highly similar functionality, content, and user experiences are considered repetitive. If these extensions are each small in content volume, and provide the same single purpose, developers should create a single extension that aggregates all the content. For example, publishing multiple wallpaper extensions, when these would be better served as a single extension, is prohibited.

Two Step Verification:

  1. Developers are required to enable Two Step Verification for their Google Account in order to publish new extensions or to update existing extensions. Instructions on how to enable Two Step Verification can be found here.

Developers can also learn more about today’s guidance in both our Program Policies and our FAQs. These policy clarifications will go into effect on August 2, 2021. After that date, developers will no longer be able to publish new or update existing extensions without enabling Two Step Verification, and extensions in violation of these new policies may be removed from the Chrome Web Store and disabled.

If you have any questions, you can contact developer support.

Thank you for your cooperation and for your participation in the Chrome extension ecosystem!

– The Google Chrome Web Store team

About author

Corbin Davenport
Corbin Davenport

Corbin is a tech journalist and software developer based in Raleigh, North Carolina. He's also the host of the Tech Tales podcast, which explores the history of the technology industry. Follow him on Twitter at @corbindavenport.