Final Review: chrome.activityLogPrivate API

Adrienne Porter Felt

unread,

Sep 9, 2013, 6:49:13 PM9/9/13

to apps...@chromium.org, Karen Lees, Michael Vrable

Hi, I'd like a final review for enabling the activityLogPrivate API on all channels.

The Activity Log is a framework for monitoring extension behavior. This API exposes the data to a whitelisted app named "Watchdog." The Watchdog app will show users a dashboard of what their extensions have been doing. The API provides methods for searching through the Activity Log behavioral database, getting a live stream of events, and deleting data from the database.

For the sake of review, there's documentation here:

https://chrome-apps-doc.appspot.com/_patch/17028015/extensions/activityLogPrivate.html

And the launch bug is here:
crbug.com/241672

Adrienne

Matt Perry

unread,

Sep 9, 2013, 7:25:05 PM9/9/13

to Adrienne Porter Felt, apps-dev, Karen Lees, Michael Vrable

IMO the only question to ask for this API is, should it ever be public? I think the answer is no.

So, LGTM.

Adrienne Porter Felt

unread,

Sep 9, 2013, 7:28:06 PM9/9/13

to Matt Perry, apps-dev, Karen Lees, Michael Vrable

On Mon, Sep 9, 2013 at 4:25 PM, Matt Perry <mpcom...@chromium.org> wrote:

IMO the only question to ask for this API is, should it ever be public? I think the answer is no.

Agreed, this should never be a public API.

Mike Tsao

unread,

Sep 11, 2013, 12:44:38 PM9/11/13

to Adrienne Porter Felt, Matt Perry, apps-dev, Karen Lees, Michael Vrable

This API appears to be enabling Chrome-specific functionality that is more appropriate to implement as an app and/or extension than as native code, which means that the existence of the API is merely a consequence of the implementation choice. Thus the API does not fall under our higher public-API review standards.

In other words, private OK. LGTM.

muhammad haris

unread,

Jun 29, 2015, 4:20:44 AM6/29/15

to apps...@chromium.org, mvr...@google.com, kare...@google.com, fe...@chromium.org

I am trying to use this API for some research purpose on extensions. Documentation link you have provided is not working. Where can I get documentation?

Adrienne Porter Felt

unread,

Jun 29, 2015, 9:59:12 AM6/29/15

to muhammad haris, apps-dev, Michael Vrable, Karen Lees

Hi,

This is a whitelisted API, meaning it is not available for use by any extension other than the Chrome Extension & Apps Developer Tool.

ryan

unread,

Oct 17, 2015, 12:43:00 AM10/17/15

to apps-dev, mhmu...@gmail.com, mvr...@google.com, kare...@google.com, fe...@chromium.org

On Monday, June 29, 2015 at 6:59:12 AM UTC-7, Adrienne Porter Felt wrote:

Hi,

This is a whitelisted API, meaning it is not available for use by any extension other than the Chrome Extension & Apps Developer Tool.

Is there any way a third party developer can get whitelisted to use this API? My company is developing a 'secure' chrome extension to help users detect unwanted activity in other extensions (ad injects, history theft, etc.).

Adrienne Porter Felt

unread,

Oct 17, 2015, 10:56:41 AM10/17/15

to ryan, apps-dev, muhammad haris, Michael Vrable, Devlin Cronin

No, we are not planning to release this for other parties. It has privacy and performance implications that make it inappropriate to release as a 3p API.

Message has been deleted

ryan

unread,

Oct 17, 2015, 2:01:45 PM10/17/15

to apps-dev, ryan.ma...@gmail.com, mhmu...@gmail.com, mvr...@google.com, rdcr...@google.com, fe...@chromium.org

On Saturday, October 17, 2015 at 7:56:41 AM UTC-7, Adrienne Porter Felt wrote:

No

How then could a security researcher A) build a 'passive' extension monitor for the public or B) build a local cluster to run all extensions and monitor them.

For (A), I could use chrome.webRequest.onCompleted.addListener(..., <all_urls>) and check for a tabId of -1 but I still don't know which extension the traffic originated from. For (B), I tried chrome.debugger.attach() but it won't let me access a chrome-extension:// URL of different extension.

I could patch chrome and add my extensionId to the whitelist for activityLogPrivate. Instrumentation is a little out of my league but I suppose that's what the HULK academics did here: http://www.icir.org/vern/papers/hulk-usesec14.pdf

Any other, less janky ideas on how to better track extension activity would be appreciated!

Harris

unread,

Oct 17, 2015, 2:09:49 PM10/17/15

to ryan, apps-dev, mvr...@google.com, rdcr...@google.com, fe...@chromium.org

Since you referred to the paper, few months back I was also solving this issue. First thing you can do is attach a debugger to background page of the extension and then gets almost all the information about it. Please refer to tip of tree chrome debugging protocol. Moreover still you may get mixed in content scripts of extensions which are loaded inside page. For this purpose you can make honey pot pages , which is any offline page for which you already know the http requests and html structure. So if extension now makes any alteration will be easier to detect. This is actually what researchers have done in hulk.

You can also have a look at approach of this later paper which is I guess more intuitive to implement. http://wenke.gtisc.gatech.edu/papers/www15.pdf

Thanks,

Haris

On 18 Oct 2015, at 1:52 AM, ryan <ryan.ma...@gmail.com> wrote:

On Saturday, October 17, 2015 at 7:56:41 AM UTC-7, Adrienne Porter Felt wrote:
No

How then could a security researcher A) build a 'passive' extension monitor for the public or B) build a local cluster to run all extensions and monitor them.

For (A), I could use chrome.webRequest.onCompleted.addListener(..., <all_urls>) and check for a tabId of -1 but I still don't know which extension the traffic originated from. For (B), I tried chrome.debugger.attach() but it won't let me access a chrome-extension:// URL of different extension.

I could patch chrome and add my extensionId to the whitelist for activityLogPrivate. Instrumentation is a little out of my league but I suppose that's what the HULK academics did (http://www.icir.org/vern/papers/hulk-usesec14.pdf)

Adrienne Porter Felt

unread,

Oct 17, 2015, 4:15:45 PM10/17/15

to ryan, apps-dev, muhammad haris, Michael Vrable, Devlin Cronin

If you want to test extensions on your own, then yes add your extensionId to the whitelist and run a custom build off ToT.

Alternately if you install the CADT (DevTools) then you'll see a database full of activity log information appear on disk in the preferences folder.

On Sat, Oct 17, 2015 at 10:49 AM, ryan <ryan.ma...@gmail.com> wrote:

On Saturday, October 17, 2015 at 7:56:41 AM UTC-7, Adrienne Porter Felt wrote:

No

How then could a security researcher A) build a 'passive' extension monitor for the public or B) build a local cluster to run all extensions and monitor them.

For (A), I could use chrome.webRequest.onCompleted.addListener(..., <all_urls>) and check for a tabId of -1 but I still don't know which extension the traffic originated from. For (B), I tried chrome.debugger.attach() but it won't let me access a chrome-extension:// URL of different extension.

I could patch chrome and add my extensionId to the whitelist for activityLogPrivate. Instrumentation is a little out of my league but I suppose that's what the HULK academics did (https://www.icir.org/vern/papers/hulk-usesec14.pdf)

Adrienne Porter Felt

unread,

Oct 17, 2015, 4:17:34 PM10/17/15

to ryan, apps-dev, muhammad haris, Michael Vrable, Devlin Cronin

On Sat, Oct 17, 2015 at 1:15 PM, Adrienne Porter Felt <fe...@chromium.org> wrote:

If you want to test extensions on your own, then yes add your extensionId to the whitelist and run a custom build off ToT.

Alternately if you install the CADT (DevTools) then you'll see a database full of activity log information appear on disk in the preferences folder.

^ to be clear I mean this https://chrome.google.com/webstore/detail/chrome-apps-extensions-de/ohmmkhmmmpcnpikjeljgnaoabkaalbgc?hl=en not the devtools panel in Chrome

Reply all

Reply to author

Forward