Are Extensions Safer in Firefox or Chrome? Sandbox vs. Open Market
The debate continues over whether it’s better to have a closed system for distributing apps or a more open one. You see it a lot in comparing Apple’s App Store to Google’s Android Marketplace. Apple reviews and approves every app before launch. You’re ensured a certain level of product quality, integrity and safety because of that pre-approval. Android – buyer beware. It’s easy for anyone to upload an app, and while it’s a waste of time when you download a poorly designed and functioning app, it’s harmful when that app carries malicious code with it.
The battle is also fought in the browser space. Firefox has a “sandbox” that all extensions must enter to be reviewed by one of the Mozilla community volunteers before it’s ultimately released into the public. The Google Chrome Web Store is like the Android Marketplace in that anything and everything loaded is immediately available for public consumption.
Firefox Safer? Yes.
The reviewed apps and extensions, by nature of the extra scrutiny by a third-party, ensures an added level of safety. It’s not fool proof as mistakes can still be made – it’s a human process after all, but it’s an added level of security and does breed safety.
Don’t ignore that safety can sometimes be an issue beyond the distribution of malicious code. When it was discovered that Path uploaded users address books from their iPhone, it was a safety matter related to privacy. I personally don’t think there was ill intent by the makers of Path. They generally operate to a higher standard among social media products – but it was clearly a blunder. And it had gone through the approval process at Apple. The sandbox type of approach helps, but it’s not guaranteed.
Is Chrome Unsafe?
To call Chrome unsafe would be unfair, but it has more vulnerabilities if only for the reason that you can immediately publish extensions without prior approval. Someone with ill intent can make an extension available and spread mayhem.
Google says it’s reducing the risk in Chrome 21 by taking away the ability to easily add extensions from web sites other that the Chrome Web Store. Their post Adding Chrome extensions from other web sites goes into details about the program. The key point from this page is the following entry:
To help keep you safe on the web, we have started analyzing every extension that is uploaded to the Web Store and take down those we recognize to be malicious. Unfortunately, we don’t have the ability to take down malicious items promoted on other websites. For instance, online hackers may create websites that automatically trigger the installation of malicious extensions. Their extensions are often designed to secretly track the information you enter on the web, which the hackers can then reuse for other ill-intended purposes.
So, not only are they taking away easy installation of extensions from other sites, they will be reviewing all extensions. It looks like this will be after the extension is already live on the Web Store, so how much that truly helps make users more safe remains to be seen.
While the app environments will continue to evolve to ensure your safety, so will the efforts of those seeking to do you harm. The general guidance that companies like Apple, Microsoft, Google and Mozilla give you will still hold true. Only download items from people and companies you trust. Companies who have a brand to protect will always operate in an appropriate manner. That doesn’t mean you’ll like what they do or have delivered, but they’ll give you the options to change, control or remove the software if it’s not to your liking. There’s no hidden agenda with companies you know. They’re in business to make money, and they do that through happy customers. If they don’t keep their users happy, there’s no company.
Safer Browser for App Developers
A safe environment for developers is one where you can build extensions and have predictability with release of your apps and extensions. It’s equally important to have the ability to be creative so new methods and capabilities can be released. Review systems sometimes have difficulty navigating the unexpected and new, as well as getting all the product in queue review and released in a timely manner.
You’ll hear complaints by developers waiting for the release of their app or extension as it goes through Apple’s approval process or to clear the Firefox sandbox. It wreaks havoc on schedules and timing a launch promotion is virtually impossible. More difficult is the sometimes subjective and apparently arbitrary rules and decisions that get made. It’s difficult for companies and developers to navigate when the rules get enforced inconsistently.
The Firefox review process, managed by volunteers, may have guidelines but you are heavily dependent on the judgment of your individual reviewer. Yet, there is an option for dialogue to resolve issues and conflicts. Since it’s a community that builds and supports Firefox, the community will help you understand and work through the process. You don’t always have this benefit with other browsers. The dialogue helps an extension builder like Brand Thunder. We’re building an experience for our themes and cross categories with our products – which offer both theme and extension components. As a result, we don’t fit nicely in standard compartments or categories. With Firefox, we’ve been able to find a solution that works for their audience and keeps our products in their add-ons site.
In the Chrome Web Store, we don’t have that same flexibility. There’s a rigidity to the rules and regulations that prevents us from bundling our product and now delivery from our partners and our own site is hindered starting in Chrome 21. It’s a recurring problem that creates a difficult operating environment for developers.
If you truly need flexibility, the open source of Mozilla Firefox may be your best environment for experimenting.