When I'm thinking it's fine, what I'm thinking is: They probably wouldn't feature this on the front page of the app store if the app was harvesting data. Right? Somebody has reviewed this, right? Lots of people use it, and it seems fine! And I really super hate getting up early, flipping open the laptop to do some quiet-time work, and being blasted in the face by the extra-bright backgrounds of the various web portals I have to access.
But then I think, here's this extension that can read everything on every page I visit, and even if they're being good citizens now, there's no guarantee they won't sell the extension to some nefarious data-harvesting company later, or that the NSA hasn't insisted they scoop up data and placed a gag order on them. (And it's not that I think the NSA is out to get me specifically, but it seems clear they have a "harvest everything" policy, and I believe everything harvested will eventually be leaked.)
So I dunno: is it fine? Or am I being grossly irresponsible?
So yeah maybe you should worry.
https://addons.mozilla.org/en-US/firefox/addon/grasshopper-u...
Yes. In fact, I write browser extensions.
> and if so, do you worry about security?
Yes and no. I don't worry about the security of extensions any more or less than I worry about the security of any native code that I install on my system. Native code is very powerful, and I think that people tend to overestimate the protection of sandboxing and other technological measures.
> They probably wouldn't feature this on the front page of the app store if the app was harvesting data. Right? Somebody has reviewed this, right? Lots of people use it, and it seems fine!
IMO this is the wrong way to think about it. You can't trust the App Store, app review is a joke, and crowdsourced anonymous reviews are a joke too, at best uninformed, at worst fake, fraudulent.
The best way to evaluate software is "old school", as it has always been since before the App Store existed: get your recommendations from friends and family, trusted associates, industry veterans, and professional published tech media reviews. Make sure to investigate and scrutinize the software developer; that's often more important than investigating and scrutinizing the software itself. It's all a matter of trust, and trust needs to be earned.
> even if they're being good citizens now, there's no guarantee they won't sell the extension to some nefarious data-harvesting company later
Well, developers who have a reputation for honesty and principles aren't likely to do this. Moreover (disclaimer: I make upfront paid extensions), I would argue that upfront paid extensions are more trustworthy than free extensions in this respect. It's a common refrain that if you're not the customer, then you're the product. And upfront paid extensions tend to have fewer total users than free extensions, for the obvious reason, which makes paid extensions much less interesting to data harvesters. Anyway, all software can get sold, so again there's nothing special about extensions in this respect. Don't enable auto-update. ;-)
> the NSA hasn't insisted they scoop up data and placed a gag order on them.
This is pure empirically unjustified paranoia. You need to worry about this for your operating system vendors, not for little indie app developers. The NSA doesn't give a crap about the latter. It would be like fishing in a rain puddle.
By the way, if you want to read more software reviews, go with the tech publications who still publish a monthly paid magazine. Sadly, the free online tech media have mostly (though not entirely) abandoned software reviews in favor of publishing corporate PR, rumors, and tweets.