I think that malicious programs that work offline are also highly dangerous, e.g. malware built in from the start, corrupting the PC irretrievably, corrupting the deck schedule. So I think if we base it on sends and receives, there may be a possibility to miss something like that.
Basically decks do not contain any info about money or privacy, so even if the add-on is collecting and submitting data about Anki and decks there is little risk to the user (such data is usually collected for research and improvement purposes). If the add-on is trying to access data that has nothing to do with Anki it becomes suspicious.
Other, I think of reliability like this:
-
Does author develop a lot of volunteer work?
- Basically programming is a high paying job. If the author wants money, they can make more money by doing programming work that has nothing to do with Anki.If the author wants to make a profit, it is unreasonable to develop a lot of free add-ons or to volunteer, so an author who does a lot of volunteer work is more reliable.
-
Is author a professional programmer or not?
- A novice developer may accidentally cause significant problems even if there is no malicious intent. (e.g. making a critical operational error, incorporating dangerous code, developing an add-on that makes the user do something illegal). With experienced professional programmers such risks are quite low. Developers who contribute a lot with Anki for Desktop or AnkiDorid rather than personal add-ons are more reliable.
-
Author is not anonymous?
- An author can be arrested if they distribute illegal malware, so an author who discloses their name, photo, address, and place of business is more reliable.
-
Is author really the person?
- Even if a name or URL is listed on AnkiWeb, it may not be the same person, so a simple fact check is ideal.
-
Is add-on original or not?
- If there is a malicious developer they might embed malware in a popular add-on and distribute it, so an add-on by the original author is more trustworthy than a fork.
-
Are there many contributors?
- An add-on with many contributors means that many developers are reading the code. If there is malicious code it is more likely to be discovered by the developers, so the more contributors the more reliable.
-
Are there lots of users?
- The more users there are, the more chances there are for more developers to read the code, so popular add-ons that have been developed for many years are more reliable. New released add-ons are less reliable because no one may have checked them yet.
-
Is the code written for easy reading?
- Friendly developers add many comments to the code to make it easier for other developers to understand the add-ons. This makes the code more reliable because it is easier to understand all of it.
-
Is the add-on code simple and short?
- Simple and short add-ons are reliable because they can be read quickly, but they are often less convenient as well.
-
Does the author list the license correctly?
- Meticulous authors correctly list the license for the code and materials they use in their add-ons. If code is clearly copied but no mention of it or if material from an unknown source is used it is a bit suspicious.
-
Is the add-on publicly available on Github?
- If the code is publicly available on Github it will be easier for many developers to check out add-ons.
-
Does author actively interact with users?
- Sometimes authors actively interact with users on Github, Discord, Reddit, etc. In these cases I think it is unlikely that they are incorporating malicious code for money or mischief.
So in my opinion third parties and well known developers are very reliable, they fulfill many of these checkpoints, are develop for free in huge quantities and their code is very serious, so it is clear from the developer’s view that they are not interested in profit or mischief at all.
These developers’ activities are difficult for the average user to understand, e.g. the hard work of the developers does not change anything on the surface thus from average users’ views the developers seem to be doing nothing.(thus for the average users, third parties and monetizing authors look like scammers)
However as already explained even if all of these are checked they are not completely safe.
E.g. These are the risks:
- Embedding maulware when updating an add-on.
- Embedding malicious code in a sophisticated way that is not known to the average developer.
- Using different code on AnkiWeb than what is publicly available on GitHub.
- The account is real but has been hacked.
- Photos and biographies are AI generated.
- Author appears friendly but is actually a scammer.
- Removing malicious code in some way after execution.
In short add-ons can be developed for anything so any malicious workaround can be developed, so if users want to be as safe as possible it is safest to use native Anki without add-ons, Anki for desktop is checked by official Anki and is read by many developers, so it is the most reliable. (Basically to develop add-ons developers need to read Anki’s code.)
So in my case measures are like this:
-
Make sure that if my PC is broken or infected with malware, it doesn’t matter.
- Simply put even if my PC is completely broken or hacked, if the contents are empty there is nothing to steal and no damage, so I keep backups of all important data and I do the important stuff on a different PC.
-
Toggle off suspicious add-ons and examine the code before running them.
- E.g. there are sometimes add-ons that have just been released and have no description and unknown purpose. It is dangerous if these add-ons contain malware, so at first I toggle it off and read the code.
However I think it is extremely unlikely that add-ons actually contain any kind of malicious malware, according to AnkiForums maybe there has been only one suspicious case so far. (Though it is possible that it was quickly removed by the official Anki, or possibly undetected.)
I guess the reason for this is that the number of users of add-ons is extremely small, e.g. according to the author’s page of my add-ons releases, the number of downloads of the usual add-ons (not so popular but still useful) is in the tens to hundreds, even the leaderboard of popular add-ons currently has only about 1700 active users.
This means that even if a malicious developer develops add-ons only tens or hundreds of them will be downloaded. So if the malware is for profit there is no benefit to developing add-ons at all, it would be easier and more reasonable to develop a Chrome extension with a large number of users instead or to send a lot of spam emails.
So I check the security of these as well just to be sure, but in reality I’m mainly trying to prevent errors and bugs in add-ons, like this:
-
Install and update add-ons one by one.
- If you do not know which add-ons are the cause of the error it can be quite troublesome, thus it is easier to identify errors if you update or download add-ons one by one while checking the working of each add-on instead of installing them in batches.
-
Wait a week or so to update add-ons.
- If a busy developer rushes to fix a problem, they may submit problematic code and break it even more. Waiting a week or so makes it easier to get a stable version.
-
See AnkiWeb page before updating.
- If there are critical errors in popular add-ons they are usually reported in the ratings, so if you are concerned it is relatively safe to read the AnkiWeb page to make sure it is working.
-
Toggle off add-ons that are only used occasionally.
- As already explained updates can be a workaround for malware, and they can also cause errors so you can reduce unexplained errors and security risks by toggling them on only when you use them.
If measures like this are taken for errors maybe it will help a little bit for security measures. (e.g. by delaying the update someone might discover the malicious code first and the add-on will be removed.)