Why ChromeOS extensions cannot list PWAs or system apps

by

Summary

A developer attempted to build a ChromeOS-specific extension intended to orchestrate or interact with the device’s ecosystem. The requirement was to enumerate all installed applications, including Progressive Web Apps (PWAs) and system-level default apps. The developer utilized chrome.management.getAll(), but discovered it is strictly scoped to the extension ecosystem (extensions and legacy Chrome Apps), failing to provide visibility into the broader OS application layer.

Root Cause

The issue is not a bug, but a deliberate security architecture decision by the ChromeOS engineering team. The root causes are:

  • Sandbox Isolation: Extensions operate within a highly restricted sandbox. Allowing an extension to see every PWA and system app would create a fingerprinting vector, allowing malicious extensions to map a user’s software profile.
  • API Scoping: The chrome.management API is scoped specifically to the Extension/App subsystem. It does not bridge the gap between the Browser process and the ChromeOS App Launcher/System process.
  • Privacy Barriers: PWAs are often treated as independent web entities. Granting extensions broad visibility into these apps violates the principle of least privilege.

Why This Happens in Real Systems

In modern operating systems, there is a constant tension between inter-process communication (IPC) and security boundaries.

  • Capability Leaks: If an API allows “list all apps,” it inadvertently allows “list all user interests/work habits.”
  • Attack Surface Expansion: If an extension can see a system app, it might attempt to use side-channel attacks or exploit vulnerabilities in those apps via deep-linking or intent-based messaging.
  • Abstraction Layers: OS designers create “walls” between the Web layer (Extensions) and the OS layer (ChromeOS Shell) to ensure that a compromise in the browser does not lead to a full device compromise.

Real-World Impact

  • Feature Limitation: Developers building “App Launchers,” “System Dashboards,” or “Device Management” tools via extensions face a hard technical ceiling.
  • Development Friction: Engineers may waste significant cycles attempting to find “hidden” flags or undocumented APIs that simply do not exist due to the security model.
  • User Privacy Protection: On the positive side, the user is protected from extensions that might scrape their installed software list to serve targeted advertisements or perform reconnaissance.

Example or Code (if necessary and relevant)

The following demonstrates the limitation of the existing API:

// This code will fail to return PWAs or System Apps
chrome.management.getAll((apps) => {
  console.log("Found apps:", apps);
  // Output will only contain 'extension' or 'chrome_app' types
  // PWAs and OS apps are missing entirely
});

How Senior Engineers Fix It

When a senior engineer hits a hard architectural wall like this, they pivot from API searching to System Design alternatives:

  • Shift to Native Messaging: Instead of an extension, build a Native Host application (written in Python, C++, or Rust) that is installed on the device. This host can use OS-level commands to list apps and communicate the list back to the extension via chrome.runtime.connectNative.
  • Intent-Based Interaction: Instead of enumerating apps to find one, use URL Schemes or Web App Manifests to attempt to launch an app directly, handling the error if the app is not present.
  • Policy-Driven Management: If this is for enterprise use, leverage Google Admin Console policies to manage app visibility rather than trying to hack it through the browser extension layer.

Why Juniors Miss It

  • Assumption of Completeness: Juniors often assume that if an API is named management, it must manage the entire system’s management. They fail to read the fine print in the documentation regarding “Scope.”
  • API-First Thinking: Juniors tend to look for a “function call” to solve a problem, whereas seniors look for the security model that governs the problem.
  • Ignoring the “Why”: A junior asks “How do I get this data?” A senior asks “Why is the OS preventing me from getting this data?” Understanding the impediment is more important than finding a workaround.

Leave a Comment