Google improved end-to-end security for Android apps that connect to Chrome extensions

August 4, 2014

chrome extensions android-robot-frankenstein Yahoo News

Google has added new security functionality for developers that build extensions for the Chrome Browser. TLS/SSL is now supported in the chrome.sockets API.

This is great news for Chrome users that love to install productivity and communication extensions on their browser, as it enables the “S” in the HTTPS that you may be familiar with from your standard web browsing. We understand that, until now, extensions have had to rely on websockets or their own encryption techniques to handle secure data transfers.

For Android users, this new tool makes it easier for developers to completely secure your connection, and your data, all the way from your Android device to the browser on your computer.

To explain how this works, let’s take a look at the popular app and service Pushbullet. Pushbullet has the ability to push notifications, data and more back and forth between your Android device and PC. Full disclaimer, I do not know what actual protocols or techniques Pushbullet uses, we’re just using them as an app example of how the process operates.

Pushbullet Test Notification Nexus 7 Chromebook

Generally speaking, there are two transactions here. First, your Android device securely connects with Pushbullet servers using HTTPS through the DefaultHTTPClient in Android. The second transaction is between the Pushbullet servers over to your PC.

If Pushbullet had employed the chrome.sockets API to build their Chrome extension, the latter part of the connection above would not be secured. Your information and data would transfer over the wire in the same plain text, using the same HTTP connection, that web sites, including this one, provide the words and images that you are reading now.

Pushbullet co-founder Andre Von Houck was kind enough to confirm for me that they use the standardized old-school websockets to establish a secure HTTPS connection between the Chrome Extension on your PC to their servers. So, for Pushbullet, you are secured and good to go.

This concept is the same for any app that connects to a Chrome extension, including your favorite SMS services MightyText and DeskSMS. Now, before you get all worried about these vulnerabilities, check into your chosen app and service to see what security they offer. There is a good chance your app developer is already using standard websockets or alternative security measures to keep you and your data safe.

chrome extension chrome.socket api

For the developer in your life, there are advantages and disadvantages to both websockets and Google’s addition of TLS/SSL in the chrome.sockets API for Chrome extensions. For the rest of us, let’s just be pleased that developers have a new option for securing our data all the way from our Android devices to our PC desktop.

What level of security do you use for your Android experience – do you keep it simple with password security like LastPass, or do you go all out with the install of a custom ROM like Paranoid Android?

Comments

  • Jayfeather787

    Go google!

    • Crutchcorn

      Yup! LOL.

      • Jayfeather787

        Nice profile picture.

        • crutchcorn

          Why thank you. Made it for a failed blog a long time ago and was changing settings on Disqus and was like why not

  • Albin

    I let Dropbox sync the phone and PCs – anything confidential goes into an ENCF encrypted folder in the Dropbox (opens with EncDroid, or BoxCryptor (Windows) / GnomeENCFManager (Linux). MightyText could be handy and worth looking into.

  • survivingwithandroid

    The use of DefaultHTTPClient is not encouraged since 2.3. HttpUrlConnection should be used.

  • John Grabb

    Wow, didn’t know that Google talking to Google was a security issue too! However, it doesn’t surprise me at all