Chrome storage | afraid of getting hacked?
If you an extension developer then there's a likelihood you store sensitive information in the local storage.
// Example data
{
isPremium: false
}
are you ever afraid someone could just change this value and get unlimited access?
Ever thought of encrypting your data before storing?
Or how do you do it?
Trending on Indie Hackers
before you go too far down this road, just remember that just like a web page, your users are able to access the full source code for your extension. Including your content & background scripts. (see: https://www.maketecheasier.com/view-source-code-chrome-extension/ ).
If they are really motivated then they could take your code, delete your security check, and run the modified version as an unpacked script.
But anyway for deciding how much hack-proofing to do, think about your potential customers in terms of who will pay and/or who will hack.
Group 1 - Users that will pay and will never hack. Probably 98% of your users.
Group 2 - Users that will pay, but will also try to hack your app to get it for free. If hacking is too hard then they will give up and pay. Maybe 2% of your users?
Group 3 - Users that will never ever pay for your product. They may try to hack to get it for free. If hacking your product is too hard then they will just uninstall.
The important thing is that you have to give up thinking about "group 3" people. Most hackers will never ever ever ever ever pay you a dime under any circumstances ever. They will either use it for free or not at all. They are not potential customers. Lots of developers make the mistake of getting distracted by this.
I made ExtensionPay which only keeps the user's paid status on the server, not in the extension itself so people can't reach in and change it.
You could always try to search for ways to hack extensions to see if there are any guides that you can guard against.
I wouldn't worry about it too much though — the vast majority of people don't know how or aren't interested in hacking.
There's a general rule that you should always validate that the user performing an action has the authority to perform that action. So even if your UI changes based on the isPremium variable, if the user tries to perform an action that only a premium user should be able to perform, the backend should refuse the request.
You could store the info in a JWT so long as you have a secret key somewhere that only your application has access to - you use that to sign the JWT and that way any tampering can be detected. I’ve never made chrome extensions so I’m not sure the exact workflow here but hopefully this could work.