close
close

Google to Allow Isolated Web Apps on Sensitive USB Devices to Access Chrome

Posted on by darion

Google is working to give trusted, isolated web applications unrestricted access via the WebUSB API, a JavaScript API that authenticates web applications to allow them to interact with local USB devices on your computer.

In a Chrome browser status update, the company said it is testing the “Unrestricted WebUSB” feature to allow trusted web apps to securely access restricted local devices.

“The WebUSB specification defines a list of vulnerable devices that are blocked and a table of protected interface classes that WebUSB blocks from accessing,” Google said in an update. “This feature will allow isolated web apps with permissions to access the ‘USB-unrestricted’ permission policy feature to access devices that are on the list of blocked devices and protected interface classes.”

The rollout status for this feature is “In Developer Trial” and “Behind the Flag” in Update.

Unlocking sensitive access

Under the WebUSB specification, web applications’ access to certain classes of interfaces is restricted to protect against malicious scripts that could potentially obtain sensitive data. These classes include audio equipment, HID devices, storage, smart cards, video, audio or video devices, and wireless controllers.

With the new feature, Chrome will enable a set of trusted isolated web applications to access these locked classes along with several specific USB devices such as YubiKeys, Google Titan keys, and Feitian security keys, used for multi-factor authentication.

Isolated Web Applications (IWA) are defined as applications that, instead of being hosted on a live web server and downloaded over HTTPS, are packaged in packages signed by their developers and distributed to users through a variety of methods, including platform-specific installation formats such as an APK, MSI, or DMG file, raw packages, through an operating system, browser, or third-party “app store,” and installed through an enterprise system’s configuration management infrastructure.

IWAs can be safer

Google’s attempt to exploit this feature is likely due to the fact that IWAs are relatively secure because they limit interaction and data sharing between different applications and systems. The benefits of running an isolated web application include deterring compromises, controlled access and permissions, reduced risk of dependencies, and protection against cross-site scripting attacks.

Once this update is released, IWA users with permission to use the “USB Unrestricted” feature will be able to access a USB device that is normally “restricted” on the “vulnerable devices” block list. This feature will likely allow you to customize the types of USB devices that are available even when “USB Unrestricted” is enabled.

According to the update, Google intends to roll out the beta version of this feature in Chrome 128, which is scheduled to launch in August.