A couple weeks ago, we woke up to an email no developer wants to read—that our app was removed from the Chrome Web Store.
If you don't know us, we are a popular webpage screenshotting app. Among extensions, we're one of the most-downloaded indie apps (not venture-funded or owned by a corporate). A lot of our users come to us because of the high download count and rating on our Chrome Web Store storefront:
This storefront was published nearly 10 years ago on @mrcoles' personal email address. And as I came on to run the day-to-day business, we hadn't yet taken the steps to make the account accessible to multiple people.
As a band-aid solution, we set up auto-forwarding of certain notifications from @mrcoles' personal email to my work email. We didn't consider that Chrome might send us notification emails from a completely new, foreign email, which would then slip through the cracks...
Which leads us to that fateful morning. I started the day and immediately noticed a flood of tickets and tweets about our storefront. (Always tweet/report issues, thank you awesome users 😛)
We soon discovered that we had missed a 2-week warning email from Chrome. There had been a permissions misunderstanding. As a result, the storefront had been taken down.
No existing users were affected, but any new users looking for our storefront were directed to a 404 page:
Over the next 60 hours, this issue became the most reported issue in our customer support channel. Finally, near the end of the third day, our storefront was restored. And the dust has largely settled since.
We went through a small personal hell here. So we'd like to offer ourselves up for lessons learned!
Some indie projects are built just for fun, and are never meant to be monetized or grow. (Take @mrcoles' Dragon Drop! project for example 🐉😉). But if you find yourself returning to a project and improving/iterating, that would be a good time to consider how others might get involved one day.
Even for a one-person project with no specific aspirations, it is so much easier to take steps during set-up, or early on, than to repair later. We discounted how difficult it would be to turn a 10-year solo project into one run by a collaborative team. And the procrastination in our case ultimately led to this 60-hour fire drill.
When the storefront was taken down, we went to anyone who might have some amount of influence or insight. Though the review process is a protected, faceless black box, we were able to get through to some folks inside Google. The contacts we had were absolutely crucial to getting this resolved. So how do you do this? By helping others online, asking questions, enriching the spaces you're a part of—and not treating the internet like a spectator sport.
All we could do throughout this incident was remain communicative and transparent. Because of our record, we were able to tell the truth of what happened and were able to assuage user concerns.
Nothing serves an indie business like honesty, transparency, and consistency; our users' trust in us is our entire brand value.
We see threads on the Chromium Extensions Google Group all the time with people seeking answers for a removed storefront. We knew we had to do everything possible to avoid this, and we thought we were fending off the possibility well. In the end one of our biggest nightmares ended up happening anyway. But we survived! So, you can't plan for everything. Your nightmare will happen, and it's all about how you respond. As well as what you learn from the experience for future.
It was cool to see a very organic measure of referral activity. Nearly every report of this incident was a happy user trying to refer us to a friend or colleague!
We deeply appreciate those at Chrome who heard us out, worked through the confusion, and advocated for us. We also understand why this happened! The Chrome Web Store was unregulated for a long time, and malicious actors thrived. The platform appears to be in an adolescent phase when it comes to user protections. We see this incident as a symptom of growing pains, as Chrome works to balance user privacy with developer-friendliness.
We are optimistic this bumpiness will smooth out. And we'll continue supporting and creating a high-value product with user privacy as a core tenet. We'll continue to work to bring value to—rather than extract value from—our users.
Would love to hear any thoughts/questions from Indiehackers, any tips we might have missed here, etc!
oh boy! I've heard horror stories around Google's Chrome Store Listings.
I'm glad you were able to address this issue. This is one of my concerns as I'm building my first indie product for the browser. Something I think about from time to time.
It's a risk, but it's something I'm willing to take to provide value to users.
So it sounds like all of your permissions were justified.
I have a technical question, are you declaring these permissions as optional or are they strictly required. Curious to see how GoFullPage handles permissions
Hey @miguel, awesome, I hope TurboNav is going well! It’s tough and scary building alone, but also really rewarding and great when you connect with other folks!
The only required perms in the extension are
["activeTab", "storage", "unlimitedStorage"]
. None of these require an extra permissions dialog on install, and then the rest are all optional. The two main times perms are requested are (1) to use the chrome.downloads API and (2) when screenshotting iframes it needs deeper permissions to access the inner page (which is frustrating, but understandable, and this is where it got more nuanced).I like for any dialog-requiring permissions to make them optional and then I can control the requesting of permissions from inside the extension and explain to the user why it’s necessary and have the option to retry at a future time. Otherwise if it’s during installation, a lot of users will just bounce and not install.
Thanks so much for doing this! The care around permissions was what made me really excited when I first started using GoFullPage. It's super refreshing given that most extensions ask for a ton of permissions they don't need without any explanation.
most definitely! I recently started building in public and I'm connecting with so many wonderful indie makers, it's awesome to be surrounded by people who share the same beliefs. In being able to build something that helps others and believing in one's self to accomplish and put something out that will help others.
Thanks for sharing your strategy for permissions, this is a good example that I believe many extensions should follow. I must honestly say I'm not there yet but do plan on making sure only the necessary apis are used. Currently, I'm building a Command-Line Tab search feature in which you can view from any webpage. Privacy and Security is important so that's something I've kept in mind since day one, that's why I was curious about your permission model
Thanks for sharing your experience and look forward to seeing what else you build!
Ahh, the Google Chrome Extension black box.. So much fun.
I've had a similar experience as a first time dev submitting an extension. It's really not clear what's gone wrong some times and you're absolutely right, the Google Group is helpful, but even better is knowing people on the inside.
In my case, I found that submitting a youtube video of me using the extension was enough to get listed, so really your milage may vary and you've got to try it all. For what its worth, this side of Google is the one with the most human contacts which I've expeirneced so far, so there's always that!
Wow's that's super interesting about the Youtube video, noted! And indeed, there's so many different spaces/ways of communicating now and no magic formula, so we were just trying to share what helped in our case/and what we'll double down on in future. Throwing this up on IH was a way to also build on what we learned 😜
Yep, there’s good way, just their way 😂 in any case, here’s my write up of that resubmission process in case it helps anyone in the future: https://www.indiehackers.com/post/extension-re-reviewed-and-approved-87c3f01e07
I'd add a 5th point: be very careful giving a company full control of distribution of software you own, and relying on them solely for such distribution. This nightmare (which you thankfully awoke from) is the reason I won't release anything on any 'store'. Not willing to have that store then decide it's time to turn off the tap for some random whim or broken algorithm.
Is it possible to install Chrome extensions from "untrusted" sources? Could that be a viable backup?
It used to be easier to install from “untrusted” sources, but they’ve locked that down more and even if you add an unpacked package locally Chrome still asks you to remove it occasionally citing it might be unsafe. Given how many malicious extensions used to exist (remember all those toolbar ones back in the day?), I can see why they did this.
When it comes to being on any “store” or not, there’s always a tradeoff between distribution and control. I must have built over a hundred little tools & side-projects, but the one I put up on a “store” is the only one that has reached millions and millions of active users. However, I still agree with your point—we’ve already expanded to another browser extension store and are looking now into expanding outside of extensions to take more control over our product!
Ahh, that's a shame.
Great to hear you've started to expand and spread the risk! I agree it's all about that tradeoff.