Friday, March 29, 2024

Google could safely bring extensions to Chrome for Android. Here’s how!

Share

Android-figures.jpg

When it comes to the web browser on your phone, security is the first and most important consideration. But it’s still possible to safely incorporate browser extensions for Chrome.

Almost everybody uses Google Chrome for their web browser. Yeah, I know plenty of people who don’t, and I have used different browsers from time to time myself, but the point still stands: Chrome is the world’s leading browser across both desktop and mobile, which makes it the best Android web browser.

The biggest reason for this is that it’s installed by default. If you decide you want to buy the very best Android phone, you set it up and see a Chrome icon front and center. You know immediately that the little multicolored ball is for browsing the web. But Chrome is also a decent web browser in its own right and has a good set of features and some of the best experts in the industry keeping the data you store inside the app secure. (Remember, there is a difference between security and privacy, so don’t @ me!)

Many folks, myself included, have one big gripe when it comes to Chrome for Android, though: the lack of Android Chrome extensions support. There are plenty of other browsers, even ones built of the Chromium source code, that support extensions, so why can’t Chrome? Google is no help because if you ask, you get the same answer the Chrome team has placed in the developer FAQ:

Chrome apps and extensions are currently not supported on Chrome for Android. We have no plans to announce at this time.

That’s not very useful. We know they aren’t supported, but maybe we would like to know why they are not supported.

google-chrome-logo-joe-1.jpg

There are two camps when it comes to why. The first is Google is afraid that uBlock Origin would kill its business model. The second is Android’s permissions, and file access rules make including extensions impossible. I’m in a third camp and think both are incorrect answers.

Blocking ads in the browser can hurt the website you’re visiting but has minimal effect on Google’s bottom line.

Adblocking software in Chrome doesn’t hurt Google on mobile. It can make life difficult for individual websites that depend on ad revenue to stay afloat. But Android is an app-driven ecosystem. Google can collect more than enough data about you and your habits through all the apps you use, so missing a bit of extra data through Chrome isn’t really going to put much of a dent in Google’s business.

Android’s permission and file access rules are a bit of a mess, but that doesn’t mean there isn’t a safe way to include browser extension support. It only means there are two ways to do it — the right way and the wrong way. Most web browsers that include extensions probably do it the wrong way. I say probably because there isn’t much documentation about private APIs that extensions might be using or how the extension permission model fits into Android’s overall permissions. However, one company is doing it right and takes the time to fully document everything: Mozilla.

Firefox for Android isn’t the best browser. I hate saying that as much as a lot of you hate hearing it, but it’s true. Firefox uses its own rendering engine so things can get a little wonky, the app can be sluggish, and the settings are just as confusing as Chrome’s. But Firefox does incorporate extensions safely and thoughtfully.

Browser extensions can’t do anything the browser itself isn’t allowed to do.

A browser extension can’t act on the operating system in any way that the browser itself can’t also do. That’s the Android permission model at play. If you deny Firefox access to your files and folders, an extension designed to find and save memes isn’t going to work because it can’t access anything except Firefox’s private data folders, which no other app can read. It would be like putting something in a locked box then throwing the key into the ocean.

However, a browser does ask for a pretty wide range of permissions, at least one that didn’t come pre-installed. It has full admin rights (looking at you, Samsung Internet Browser) so theoretically, an extension that stays within those boundaries can work as advertised.

This isn’t always the case. Plenty of Firefox extensions just won’t work on the Android version, and the debug log will tell the developer that it’s using an “ANDROID INCOMPATIBLE API” when it tries to run and fails. If you’re a developer and are curious about which Firefox internal APIs work on Android and which don’t, here’s the documentation you want to read first.

firefox-focus-android.jpg

The rabbit hole has been opened, though, because many extensions only run in the browser space (like an ad blocker, which is what everyone really wants), so the Android permission model doesn’t come into play. Instead, these extensions use the browser’s private APIs — rules and instructions that the browser, and only the browser, have to keep the house in order. This is where Mozilla and Firefox stand out.

Mozilla has its own Recommended Extensions Program that showcases extensions that it feels are worthy of your attention. Part of the requirements to be in this program are that your extension isn’t trying to do anything shady and works exactly as advertised. Seeing the source code of a browser extension is easy, so checking for malicious intent is equally easy.

Not every extension in this program will work with Firefox for Android because not every Firefox API is included in Firefox for Android. Chrome is the same way — the codebase for Chrome on a Mac, a Windows PC, or a smartphone is the same. But depending on what you are building it for, the end product is slightly different.

Mozilla has a curated list of extensions for mobile users to choose from.

What Mozilla does is allow users to install compatible extensions that are part of its recommended list. It knows these extensions work as advertised and can be trusted. Maybe other browsers have a similar way of policing extensions, but Mozilla makes it really easy to find the docs about how this all works. I’m not saying Brave is bad or that Yandex is bad; I’m saying Firefox gives me the information to know how it all works.

There’s no reason why Chrome for Android doesn’t work the same way. In fact, it should work the same way — if Google really cares about browser security, giving Chrome users access to safe extensions would steer users away from using products that may not be as secure as Chrome. It’s possible, and we can literally see a great way to do it from Mozilla.

Instead, Google goes out of it’s way to make sure extensions can’t work on mobile devices. It’s right in the makefile if you’re building Chromium for mobile:

declare_args()
enable_extensions = !is_android && !is_ios && !is_fuchsia

That means enable extensions unless the target is Android, iOS, or Fuchsia — so no extensions in Chrome for Google’s next operating system, either. A developer building a Chromium-based web browser for Android needs to find this bit of code and alter it before they build the app if they want to include extension support on any level.

Google can safely support extensions in Chrome for Android. Why it doesn’t will probably remain a mystery.

Now that we see it’s possible to include extension support for Chrome on mobile securely, we’re back to the question of why Google won’t do it. We’ll probably never know the real answer to that one. I hope it’s not a loss of ad revenue because that means VPNs are next in line. Don’t worry, that’s not the reason and your mobile VPN client is safe.

Read more

More News