LightBlog

mardi 19 mai 2020

[Update 2: Join extension approved] The PushBullet and Join Chrome extensions are in danger of being removed due to vague privacy violations

Update 2 (5/19/20 @ 2:45 PM ET): Google has re-approved the Join Chrome extension as well.

Update 1 (5/15/20 @ 2:25 AM ET): The Pushbullet Chrome extension has now been approved. The article as published on May 14, 2020, is preserved below.

In a bid to ensure that the Chrome Web Store doesn’t host any malicious Chrome extensions, Google routinely updates the platform’s privacy policies. Back in October 2018, the company announced one such update which was aimed at making extensions more secure. As part of the update, Google introduced new user controls for host permissions, made changes to the extensions review process, added new code readability requirements, and made 2-Step Verification necessary for Chrome Web Store developer accounts. While such changes are great for keeping malicious extensions off the platform, they now seem to be affecting legit Chrome extensions like Pushbullet and Join.

The developers behind Pushbullet and Join were recently alerted by Google that their extensions didn’t comply with the Chrome Web Store’s privacy policy and violated the “Use of Permissions” section. When the developers reached out to Google inquiring how their extensions violated the privacy policy, the company reverted back with a generic reply that states:

“Your product violates the “Use of Permission” section of the policy, which requires that you:

  • Request access to the narrowest permissions necessary to implement your product’s features or services.
  • If more than one permission could be used to implement a feature, you must request those with the least access to data or functionality.
  • Don’t attempt to “future proof” your product by requesting a permission that might benefit services or features that have not yet been implemented.”

In response to the aforementioned reply, Pushbullet’s developer reduced the extension’s permission requests and resubmitted the extension for review. However, the updated extension was rejected once again and the company gave the same reason as before. When asked for further clarification, Google didn’t respond to the developer’s email. The developer now plans to make a few other changes to the permission requests and submit the extension for review again. But that brings up another issue. Chrome Web Store’s privacy policy states that multiple resubmission “may also result in the suspension of related Google services associated with your Google account” as Google’s automated system might think that the developer is trying to find a way around the rules with multiple submissions.

Sadly though, the developer is left with no other option and has submitted another update with more changes to Pushbullet’s permissions requests. It’s also worth noting that even if the developer’s Google account isn’t suspended due to multiple submissions, they have less than 7 days to update the extension or it will be removed from the Chrome Web Store. When the developer shared this issue on Twitter, two Google developer advocates for Chrome extensions had this to say:

Similarly, Join’s developer also reached out to Google for clarification but received the same generic response. What’s even worse is that when the developer tried to justify Join’s permission requests to the company, he received the same responses over and over again. Despite several attempts, Google didn’t explain what exactly needed to be changed in the extension and said that it couldn’t “provide any additional information regarding the issue.”

While both the Join and PushBullet Chrome extensions may very well violate Google’s User Data Privacy guidelines, it’s inarguable that the company could have done a better job of communicating exactly how both are in violation, so that the developers can easily fix the issue. At the time of writing, there were no further updates from the developers regarding the matter. We’ll update this post as and when we learn more about the situation.

Source: Pushbullet blog, Joaoapps


Update 1: Pushbullet extension approved following recent resubmission

Developer Advocate for Chrome extensions @DotProto has now confirmed that that the Pushbullet Chrome extension has been approved following the recent resubmission. In a tweet regarding the matter, he wrote: “FYI the latest submission has been approved. Apologies to Pushbullet for the rejection after addressed the original violation & to the broader dev community for not providing more actionable rejections.”

It’s also worth noting that Join’s developer @joaomgcd has also resubmitted the extension for review. However, at the time of writing, we had no further updates regarding its approval. We’ll update this post as and when we learn more from the developer.


Update 2: Join extension approved

Thankfully, this story has a happy ending. The Join Chrome extension has now been re-approved by Google as well. We’re glad both Join and Pushbullet were reinstated, but it would be nice if Google could avoid these situations from the get-go.

Join – Chrome Web Store

The post [Update 2: Join extension approved] The PushBullet and Join Chrome extensions are in danger of being removed due to vague privacy violations appeared first on xda-developers.



from xda-developers https://ift.tt/2T3GTr3
via IFTTT

Aucun commentaire:

Enregistrer un commentaire