Make sure extension don´t call home?
Is there an easy way to see if an addon/extension is calling home? and if so edit said extension to not do so.
In other words, I want to make sure extension xxx does not send any information/makes an internet connection.
What i'm doing right now: 1. Download/install addon XXX 2. extract content of the. xpi file. 3. uses "find in file" with keywords like "url" or "http" and removes what i don´t like. 4. saves as new .xpi and then install this one instead.
Is there a better way to tackle this? If not, is there any better "keywords" to search for to make sure i find all lines of code that are used to connect to the outside/call home?
All Replies (5)
Sorry, I have never seen a "calling home" code detector extension.
Extensions / Add-ons that are hosted at Addons.Mozilla.Org - (AMO) - are carefully screened in multiple stages of the hosting upload process and "hand examination" before they are made public, to detect code like that.
Any extension that has functionality that "phones home" and is accepted at AMO is required to post a Privacy Policy notice.
Example - Ghostery https://addons.mozilla.org/en-US/firefox/addon/ghostery/ Privacy Policy - hyperlink to the right of the Add to Firefox button https://addons.mozilla.org/en-US/firefox/addon/ghostery/privacy/
When it comes to extensions that are hosted elsewhere, you are on your own - other than "field-stripping" the .xpi and inspecting the code in the .js files that are packed in the .xpi.
One more thing; the install.rdf file has an updates URL which might be to a non-AMO source to look for updates for that particular extension. It will "phone home" every time Firefox is launched to look for an update. That is rarely seen tho, and mostly used by add-on developers for pre-release / development versions of an extension. And is used with extensions that aren't hosted at AMO, too.
"Any extension that has functionality that "phones home" and is accepted at AMO is required to post a Privacy Policy notice."
Can you elaborate on that bolded part? Does it mean that if an extension on https://addons.mozilla.org do not have a "privacy" button, its guaranteed not to do any connection to the outside? And does that apply to extensions that are "not reviewed"?
Likewise, if an extension have a /privacy page that sais "This addon does NOT track and/or upload any of your information." can i trust this to 100% or is it the developer himself that can write what he wants, and then might do another?
anyone?
Some programs can send information on how the user uses the system, and other non-personal information. Most programs can call home to check for updates.
Almost all programs have the option to not do the above.
The Add-ons support forum is over here. https://forums.addons.mozilla.org/
Someone over there will have more details about that 100% part.