Google announced today on the official Chromium blog that it will improve the Chrome browser’s protection against deceptive inline installations.

When Chrome launched, extensions could be installed from anywhere. Sites sprang up that hosted multiple extensions, and any developer or company could offer extensions on their sites. The Chrome Web Store was released in December 2010, more than two years after the release of the first version of Google Chrome.

Google changed the process in 2012 when it introduced inline installations as a way to better protect users.

Inline installations, along with changes to Chrome’s support for non-Chrome Web Store installations, required that developers uploaded their extensions to the Chrome Web Store first before they could offer them on their websites or third-party websites.

Google’s idea was to enforce the use of the Chrome Web Store for all extensions so that it could scan them and block them from being distributed this way. Nav Jagpal and Benjamin Ackerman, two members of Google’s Safe Browsing team, note that the inline installation system reduced user complaints by 65%.

They acknowledge however that “fewer than 3% of extensions” engage in “deceptive or confusing install flows” today, and that these “generate 90% more user complaints on average”.

Google’s plan to combat inline extensions that make up the less than 3%? More automation of course. The company plans to upgrade the automated inline installation abuse detection system to improve “detection speed” and improve the detection of extensions that abuse the system.

Google will use machine learning ” to evaluate each inline installation request for signals of deceptive, confusing, or malicious ads or webpages” as well. If Google’s algorithms detect signals, Chrome will block the inline installation request and redirect Chrome users to the extension’s Chrome Web Store presence instead.

Google published additional information on the company’s Chrome Developers website. The Enforcement FAQ highlights when developers are notified and why Google disables inline installations for specific extensions.

Closing Words

Google doing something against abuse of the inline installation system is a good thing, but I’m more worried about the company’s extension vetting process. Incidents in the past have shown time and time again that malicious or invasive extensions will slip through the cracks and pass Google’s automatic examinations (see Google pulls crypto-mining Chrome extension Archive Poster or Another Chrome extension horror story: coinhive and domain registration)