Skip to main content

Security considerations

Last revised: 2025-05-14

The cloud application metering solution is designed with data protection and user privacy in mind.

There are two implementations of this solution:

  1. Data is processed locally on the end device, and no raw data is sent upstream.

  2. Filtered raw data is sent upstream for processing in Flexera's cloud environment. Note that this implementation is only activated on customer request.

Flexera has minimized the collected data to ensure that only necessary data points are stored. For implementation (1), Flexera has no access to the raw data collected by the extension. For implementation (2), Flexera filters the data against an allowlist so that only data relevant for licensing purposes is sent to Flexera's systems.

Data collected and sent

The cloud application metering extensions collect the following data points:

  • Full URL of a website visited by a user

  • The account that the user is logged on with, that is, either the local computer account or the Active Directory account. For example, computername\username or AD\username.

  • A timestamp associated with the URL visit

The extension only collects the URL of web requests made by the browser. That means we do not look at security headers or the request body. The collected information is stored in an encrypted file.

After a short period of time (3-5 min), the collected information is processed by the agent.

For implementation (1), the URL details are removed from the resulting data set to ensure that the visited URL information never leaves the user’s device. Instead, only the number of hits against a cloud application metering rule is saved. The rule itself is not stored in clear text, but is instead represented by a unique RuleID that contains no details about which website it identifies.

The data that leaves the device consists of:

  • The RuleID that matches the user's activity in the browser.

  • The computer or Active Directory account that the user is logged on with.

  • A timestamp associated with the URL visit.

The matching between the RuleID and the known application is done in the data processing pipeline. A known application is an application that has been analyzed and processed by the Data Intelligence Service (DIS).

For implementation (2), the URLs are filtered against an allowlist, so that only domains of interest to the customer are included.

The data that leaves the device consists of:

  • The entire URL, including query parameters.

  • The computer or Active Directory account that the user is logged on with.

  • A timestamp associated with the URL visit.

Data encryption

All collected and processed data is stored encrypted.

This includes:

  • Temporary storage of URLs, logins, and timestamps (AES-256)

  • Storage of rules with corresponding hit numbers (AES-256)

  • Generic Snow Inventory files that are used to package the data for sending (AES-128)

Extension permissions

When the browser extension is installed, it will request permission to access browsing data, since it is a prerequisite for it to be able to perform its tasks. Different browsers have different permission models. For example, Chromium-based browsers, as well as Mozilla Firefox, by design implement an all-or-nothing permission model for an extension that requests access to all URLs visited by a user. For Snow Web Application Metering extension, this means that Chromium-based browsers and Mozilla Firefox will give it permission to read and change all data on websites visited by the user.

It is important to note that the browser extension only requires and collects information on the user-visited URLs, regardless of the permission model of the respective browser. The extension does not change or read the content of the visited web pages.

The table below lists the required permissions, their purpose, and the permission scope as shown in the app store and browser. Regardless of the stated scope, the extension uses these permissions only to collect information about URLs visited by the user.

PermissionWhy it is neededPermission scope as shown in the app store and browserDocumentation references
webRequestTo identify which URLs are successfully accessed, the extension registers a callback on the onCompleted event of the webRequest object. Accessing the object and its events requires declaring this permission, along with host permissions. Currently, no more granular permission is available to support this functionality.Chromium-based browsers like Google Chrome and Microsoft Edge:
"Read and change all your data on the websites you visit"

Mozilla Firefox:
"Access your data for all websites"		Chrome: chrome.webRequest

Edge: Declare API permissions in the manifest

Mozilla: webRequest
nativeMessagingTo make the gathered data available outside the browser, the extension must communicate with an external process. This permission allows it to launch that process and exchange data with it.Chromium-based browsers like Google Chrome and Microsoft Edge:
"Communicate with cooperating native applications"

Mozilla Firefox:
"Exchange messages with programs other than Firefox"		Chrome: Native messaging

Edge: Native messaging

Mozilla: Native messaging

Security testing

Flexera recognizes the importance of keeping the browser extensions secure as they are deployed to end-user computers and have access to the websites that the users visit. Therefore, Flexera has started a bug bounty program, where security researchers are rewarded for finding and reporting security issues within the extensions. This facilitates continuous security assessment of the latest changes to the cloud application metering extensions.