ok google

Google, Chromium, HotWord, and our Avira Scout

And voice search requires the microphone to be switched on with the browser listening and waiting for the magic word “Ok Google”. In general this is ok for probably most people – but not for the privacy and security aware ones. For them (and for us) it is an absolute No-Go. Google added the feature by adding the “Hotword” extension to Chrome and its Open Source counterpart Chromium.

After the first impact this feature had on the security press, Google added a compile switch to keep it out of Chromium and later even set “off” as a default.

To prevent things like that from ever happening to our browser, we wrote a small script that checks the installed extensions and compares them to the “can” and “must” list. This way we can ensure that no unwanted extensions are installed by our browser (which is based on Chromium source) and all extensions we want to be installed are there.

If you ever want to verify this yourself, you can find the script here: https://github.com/Avira/chrome_extension_checker

When running said script you will find some extensions that are not listed in Chrome/Chromium or our browser. That is actually by design. Because these extensions are hard-wired in and provide functionalities you would expect to be done “in the browser code”. It is better to have them implemented in extensions. Why? Glad you asked:

Between an extension and the browser there are security boundaries. They limit the rights of the extension (see the manifest.json file of the extension for requested rights). This way, if the extension gets hacked, the damage that can be done is limited. If the features would instead have been implemented in the browser source directly, those helpful boundaries would not exist. So as you can see this is a good engineering practice.

Now, armed with the script, no one can sneak extensions into your browser without you noticing.

For entertainment purposes:

  • Compare the extensions identified by our tool to those you can see in the Extensions menu and by checking this url chrome://inspect/#extensions
    (Yes, it is also good engineering practice to “hide” extensions from the user. As an engineer you do not want to confuse people with extensions they did not install)
  • Compare all chrome based browsers (chromium, our browser, chrome, …) check what they install.

TL;DR:

Yes, we have a Git account to publish our Open Source code

Please note: This article relates to the Windows, Mac and Linux version of the Avira Scout browser.

This post is also available in: FrenchItalian

I use science to protect people. My name is Thorsten Sick and I do research projects at Avira. My last project was the ITES project where I experimented with Sandboxes, Sensors and Virtual Machines. Currently I am one of the developers of the new Avira Browser