Articles index

The security of Safari extensions

January 8 2020 by Jeff Johnson
To support this blog please buy my apps StopTheMadness and Underpass

When you open Safari's Extensions Preferences, you may see some scary warnings, such as "Can read sensitive information from webpages, including passwords, phone numbers, and credit cards on: all webpages" and "Can see when you visit: all webpages".

Safari Extensions Preferences

These warnings scare many people away from Safari extensions entirely, and unfortunately Safari's help (the ? button) provides no helpful information or guidance to users:

Safari User Guide

The scary, unexplained warnings also cause App Store customers to leave negative reviews for Safari extensions, accusing the extension developers of "overreach". This situation is not good for anyone, either extension users or extension developers. Thus, my goal in this blog post is to try to clear up some of the confusion surrounding Safari extension permissions and security.

Most extension developers don't want access to your passwords and other sensitive information (unless of course the extension is for a password manager intentionally designed to handle passwords). If we could forgo the scary permissions in Safari's Extension Preferences, we would, because we know they scare away users. However, it's important for users to understand that there's nothing special that an extension does to acquire those permissions. They're not an overreach, they're simply a consequence of the extension's ability to load JavaScript into web pages. Loading JavaScript into web pages is how extensions work, it's the API that allows extensions to manipulate web pages. And JavaScript is extremely powerful, it allows access to any and every part of a web page. This is because JavaScript is the same API that the web developers themselves use to build their web pages. Almost anything a web page can do, an extension can do too.

Let's see how this works with an example. Open the page to manage your Apple ID, and enter some dummy values for testing, not your real Apple ID. Don't submit the form; if you find that Safari is auto-submitting login forms, my extension StopTheMadness has a feature to stop that! Now open the contextual menu and select the command "Inspect Element", which will open the Safari Web Inspector. At the bottom there's a console where you can enter JavaScript commands. Enter the following:

document.getElementById("password_text_field").value

This JavaScript command should display the password you entered, as shown below.

Safari Web Inspector

You can use the JavaScript command document.location.href to get the web page URL as well. Thus, the scary Safari Extensions Preferences warnings are technically accurate. JavaScript is extremely powerful. If an extension can load JavaScript into a web page, it could do what I just showed you. Enabling a malware extension would open you up to very serious problems. Nonetheless, the Safari warnings are not explained in a way that most users can understand and evaluate. Every Safari extension that runs JavaScript — in other words, almost every Safari extension — will have these same warnings, so what are users supposed to do with the warnings? Avoid Safari extensions entirely? Then why does Apple provide a developer API for Safari extensions, if they aren't meant to be used? Why are Safari extensions available in the Mac App Store? Why does Apple advertise that they're available in the Mac App Store? You get the feeling that different teams within Apple are not on the same page here, and they're giving unhelpful mixed messages to users.

Legitimate, honest extension developers won't write JavaScript to steal your passwords and other sensitive information. Is there any way for the user to know this, aside from just trusting the developer? Actually, yes there is! I'll let you in on a little secret: all Safari extensions are open source, in a sense. Not entirely open source: native Mac code in the app is not necessarily open source. But the JavaScript that gets loaded into web pages is open source, and it's the JavaScript that has the scary permissions you see in Safari's Extension Preferences. (By the way, any native code in the extension is sandboxed, and the app itself is also sandboxed if it comes from the Mac App Store.)

If you use "Show Package Contents" in Finder to show the contents of my own StopTheMadness.app, you'll find the Safari app extension StopTheMadness.appex inside the PlugIns folder. The extension is itself a package, so you can use "Show Package Contents" on it too. The extension's JavaScript is in the file script.js in the Resources folder. So there you have it, the StopTheMadness JavaScript is open source, though you have to buy the app and download it first to see the source. This is safe for the user, because Safari will not load an extension's JavaScript into web pages until the user specifically enables the extension in the Extensions Preferences, so the JavaScript can be inspected before it ever gets run by Safari.

To be clear, you do not have permission to publish or redistribute my source code. It's copyrighted, so that would be very illegal, and I will prosecute violations with extreme prejudice. Am I worried about someone stealing my source code? A little. However, as an indie developer I've discovered that marketing software is much more difficult than writing software. Even if you stole my code, good luck finding users to install it! I have a hard enough time with that myself. Anyway, I hope that other Safari extension developers aren't mad about my little reveal here, for every Safari extension is open source in the same sense as mine. My goal here is to encourage the purchase and use of Safari extensions by dispelling the FUD about extensions triggered by the Extensions Preferences warnings, so I intend this to help rather than harm developers. Besides, the secret is difficult to keep when any technically minded user is capable of poking around in your app bundle.

In general, my view is that you shouldn't install software on your Mac unless you trust the developer. You can't rely on the system to protect you from malicious software, because there are always vulnerabilities and ways to get around the system. There are sandbox escapes. There are privacy protection bypasses. I've discovered some myself and reported them to Apple Product Security. You can read about one that I've disclosed. Stay tuned for more. ;-) You can't rely on the App Store to protect you, because App Store review is a complete joke. It's important for users to know the risks of installing software, but it's also important not to ignore the rewards of installing software, not to let your life be ruled by fear. After all, installing software on your Mac is less risky than everyday activities such as driving a car or drinking alcohol (and much less risky than those activities combined!) Safari extensions can make your life a lot easier, as long as you're prudent about which ones you install. Don't rely on App Store review or App Store customer reviews, which can be ignorant and/or faked; instead, rely on recommendations from friends, rely on software reviews by respected media outlets. Rely on indie developers who treat you like the customer instead of treating you like the product to sell to advertisers. In recent years Apple has been adding more and more scary warnings to macOS, like Windows Vista, but keep in mind that the warnings are for capabilities that Mac apps always had since the beginning of Mac OS X, and indie developers did not abuse the power they had, even when there were no warnings.

To support this blog please buy my apps StopTheMadness and Underpass

Articles index