Towards improving browser extension permission management and user awareness

Browsers have become the de-facto platform for users and their online presence. They have also become a rich environment for 3rd party extensions that enrich the user browsing experience by extending upon the browser´s functionalities. Protecting user privacy against malicious or vulnerable extensions is an important task performed by modern browser platforms such as Google Chrome and Safari. To do so, these platforms adopt a per-extension permission model, where each extension is given a set of permissions based on its requirements. These models suffer from coarse-grained access controls and insufficient user awareness. In this paper we implement a runtime framework as a browser extension called REM. REM monitors the accesses made by 3rd party Chrome extensions, informs users of the accesses, and allows them to customize the permissions given to extensions. The custom permission settings are enforced by the framework at runtime. We evaluated our framework on popular Chrome extensions & were successful in monitoring and controlling their accesses with little overhead. We also conducted a user study to evaluate the effectiveness of REM compared to current standard methods.