Skip to main content

Security considerations

Last revised: 2025-05-14

The cloud application metering solution is designed with data protection and user privacy in mind.

There are two implementations of this solution:

  1. Data is processed locally on the end device, and no raw data is sent upstream.

  2. Filtered raw data is sent upstream for processing in Flexera's cloud environment. Note that this implementation is only activated on customer request.

Flexera has minimized the collected data to ensure that only necessary data points are stored. For implementation (1), Flexera has no access to the raw data collected by the extension. For implementation (2), Flexera filters the data against an allowlist so that only data relevant for licensing purposes is sent to Flexera's systems.

Data collected and sent

The cloud application metering extensions collect the following data points:

  • Full URL of a website visited by a user

  • The account that the user is logged on with, that is, either the local computer account or the Active Directory account. For example, computername\username or AD\username.

  • A timestamp associated with the URL visit

The extension only collects the URL of web requests made by the browser. That means we do not look at security headers or the request body. The collected information is stored in an encrypted file.

After a short period of time (3-5 min), the collected information is processed by the agent.

For implementation (1), the URL details are removed from the resulting data set to ensure that the visited URL information never leaves the user’s device. Instead, only the number of hits against a cloud application metering rule is saved. The rule itself is not stored in clear text, but is instead represented by a unique RuleID that contains no details about which website it identifies.

The data that leaves the device consists of:

  • The RuleID that matches the user's activity in the browser.

  • The computer or Active Directory account that the user is logged on with.

  • A timestamp associated with the URL visit.

The matching between the RuleID and the known application is done in the data processing pipeline. A known application is an application that has been analyzed and processed by the Data Intelligence Service (DIS).

For implementation (2), the URLs are filtered against an allowlist, so that only domains of interest to the customer are included.

The data that leaves the device consists of:

  • The entire URL, including query parameters.

  • The computer or Active Directory account that the user is logged on with.

  • A timestamp associated with the URL visit.

Data encryption

All collected and processed data is stored encrypted.

This includes:

  • Temporary storage of URLs, logins, and timestamps (AES-256)

  • Storage of rules with corresponding hit numbers (AES-256)

  • Generic Snow Inventory files that are used to package the data for sending (AES-128)

Extension permissions

When the browser extension is installed, it will request permission to access browsing data, since it is a prerequisite for it to be able to perform its tasks. Different browsers have different permission models. For example, Chromium-based browsers, as well as Mozilla Firefox, by design implement an all-or-nothing permission model for an extension that requests access to all URLs visited by a user. For Snow Web Application Metering extension, this means that Chromium-based browsers and Mozilla Firefox will give it permission to read and change all data on websites visited by the user.

It is important to note that the cloud application metering browser extensions only require and collect information on the user-visited URLs, regardless of the permission model of the respective browser. The extensions do not change or read the content of the visited web pages.

The respective app store and browser will show a list of permissions that will be, or have been, given to the browser extension based on the browser's permission model, as shown in the table below.

note

The table shows permissions given by the browser, as stated by the browser. No matter what permissions are given, the browser extension will use them only to collect information on the user-visited URLs.

BrowserPermissions as shown in the app store and browser
Chromium-based browsers Google Chrome and Microsoft Edge
  • "Read and change all your data on the websites you visit"
  • "Communicate with cooperating native applications"
Apple Safari
  • "Webpage Contents Can read sensitive information from webpages, including passwords, phone numbers, and credit cards. Can alter the appearance and behavior of webpages on: all webpages".
  • "Browsing History Can see when you visit: all webpages".
Mozilla Firefox
  • "Access your data for all websites"
  • "Exchange messages with programs other than Firefox"

Security testing

Flexera recognizes the importance of keeping the browser extensions secure as they are deployed to end-user computers and have access to the websites that the users visit. Therefore, Flexera has started a bug bounty program, where security researchers are rewarded for finding and reporting security issues within the extensions. This facilitates continuous security assessment of the latest changes to the cloud application metering extensions.