Google has added new security functionality for developers that build extensions for the Chrome Browser. TLS/SSL is now supported in the chrome.sockets API.
This is great news for Chrome users that love to install productivity and communication extensions on their browser, as it enables the “S” in the HTTPS that you may be familiar with from your standard web browsing. We understand that, until now, extensions have had to rely on websockets or their own encryption techniques to handle secure data transfers.
To explain how this works, let’s take a look at the popular app and service Pushbullet. Pushbullet has the ability to push notifications, data and more back and forth between your Android device and PC. Full disclaimer, I do not know what actual protocols or techniques Pushbullet uses, we’re just using them as an app example of how the process operates.
Generally speaking, there are two transactions here. First, your Android device securely connects with Pushbullet servers using HTTPS through the DefaultHTTPClient in Android. The second transaction is between the Pushbullet servers over to your PC.
If Pushbullet had employed the chrome.sockets API to build their Chrome extension, the latter part of the connection above would not be secured. Your information and data would transfer over the wire in the same plain text, using the same HTTP connection, that web sites, including this one, provide the words and images that you are reading now.
Pushbullet co-founder Andre Von Houck was kind enough to confirm for me that they use the standardized old-school websockets to establish a secure HTTPS connection between the Chrome Extension on your PC to their servers. So, for Pushbullet, you are secured and good to go.
This concept is the same for any app that connects to a Chrome extension, including your favorite SMS services MightyText and DeskSMS. Now, before you get all worried about these vulnerabilities, check into your chosen app and service to see what security they offer. There is a good chance your app developer is already using standard websockets or alternative security measures to keep you and your data safe.
For the developer in your life, there are advantages and disadvantages to both websockets and Google’s addition of TLS/SSL in the chrome.sockets API for Chrome extensions. For the rest of us, let’s just be pleased that developers have a new option for securing our data all the way from our Android devices to our PC desktop.
What level of security do you use for your Android experience – do you keep it simple with password security like LastPass, or do you go all out with the install of a custom ROM like Paranoid Android?