Securely Transfer Data from Native App to Extension

[Moe Bazzi]

Hello all! I have a Windows native app that can send data to my browser extension using either native messaging or managed storage. However, what are some approaches I can use to securely transfer that data from the desktop app to the extension (e.g. session keys)?

I am assuming that any information being transferred using either native messaging or managed storage can be eavesdropped by other processes, so I imagine I will need to do encrypt the data before transferring it then decrypt it in the extension.

Thanks in advance!

[Ryan Guilbault]

I believe that you have a relatively low risk of eavesdropping. Chrome uses named pipes, e.g.:

\Device\NamedPipe\chrome.nativeMessaging.in.779b504cc7944f54

and I suspect that they set the max instance parameter to 1, which effectively means ONLY your native messaging host is allowed to open the pipe for reading/writing.

you can write a small program to test this out, e.g.:

#include <windows.h>

#include <iostream>

int main() {

    // locate your pipe name using Process Explorer or similar
    const wchar_t* pipeName = L"\\\\.\\pipe\\chrome.nativeMessaging.in.779b504cc7944f54";

    HANDLE hPipe = CreateFileW(
        pipeName,
        GENERIC_READ,
        0,
        NULL,
        OPEN_EXISTING,
        0,
        NULL
    );

    if (hPipe == INVALID_HANDLE_VALUE) {
        DWORD err = GetLastError();
        std::wcerr << L"Failed to connect. Error: " << err << std::endl;
        return 1;
    }

    std::wcout << L"Connected to pipe!" << std::endl;
    CloseHandle(hPipe);
    return 0;
}

you should receive a 231, aka ERROR_PIPE_BUSY or a 5, which is outright access denied.