Citing security concerns to support this move, Google has decided that they want to ban Chrome extensions that can be installed from outside of the Chrome Web Store. Google says that some malicious actors can try and install extensions in your Chrome browser that override some browser settings, and they also say that the only reason to stop that is for the extensions to come from their web store.
I’m not buying it. I don’t doubt that what they’re saying is true – to some extent, but this excuse sounds too much like the one they gave about Chrome’s passwords not being protected by another master password, like it’s done in Firefox and Safari. In that case they said they won’t do it, because it’s not offering sufficient security, and it would make people think they have more security than they actually do. But in the end that’s still better than having the Chrome passwords not being protected at all, especially since a lot of people are saving their passwords in Chrome these days. So they ended up going back on that, and promising to secure the Chrome passwords in a future update.
In this case, while I’m sure it’s true that some websites can “trick” people into downloading some malicious Chrome extensions, the users still have to install the extension themselves after it’s downloaded, so there’s an extra layer of security just from the fact that these extensions aren’t installed by default.
But even if this was such a big problem, which it isn’t, and it’s mostly theoretical right now, this can’t be the right solution and the right compromise to fix this problem. Google offers Android users the ability to sideload applications, which is one of the main features of Android that truly make it an “open OS”. Every other mobile OS isn’t offering that, and they’re forcing users to only install applications that they allow, and they allow only applications that follow their rules, whether fair or not.
I think this move that’s forcing users to install extensions only from the web store is dangerous because it’s almost certain Google will also start censoring some extensions this way. They are already not allowing extensions like Mediahint in the web store, and since they’ve already kicked Adblock apps from the Android Play Store, I think it’s only a matter of time before they do the same to Adblock extensions in the Chrome Web Store, even if it attracts a lot of backlash, but they think it’s necessary to improve their profit. Hopefully they won’t go that far, but I still believe they should find another way of protecting users against malicious extensions if they truly think it’s such a huge problem.