What makes a Chromebook so secure?

One of the things you'll see written whenever there's talk about Chromebooks is how secure the platform is. If you're into computers or software design or any type of IT you know a good bit about why, but most of the time the talk just stops after saying that Chromebooks are secure.

I think it's good for all of us to understand a bit about how the things we use everyday work. That includes things like security and why your Chromebook might be a little better at it. It's worth knowing the basics even if you aren't interested in knowing about all the nuts and bolts. So let's take a few minutes and talk about why Chromebooks are secure instead of just saying it.

  • Chrome runs on the Linux kernel. Linux distributions like Ubuntu or SUSE can be a pain in the behind to configure and use, but they also can be configured to be incredibly secure. The Linux kernel was designed by a group of people who wanted an open alternative to Unix, and the open aspect — anyone can submit a change to the folks who maintain the kernel — means some really great ways to keep a user account or network traffic away from prying eyes have been implemented. Google tries to merge this sort of local security with a user-friendly interface to find a good balance, where one doesn't need to have a Computer Science degree to keep their account properly secured.
  • Chromebooks update automatically whenever Google decides they need an update. If you have your Chromebook turned on and online, it will check to see if there is an update available. If there is, it will download it and the next time you turn your Chromebook on it will have been applied. This is great for new features like better Android support or emojis, but it's also the best way to maintain a secure environment: let the professionals do it.

I'm not very keen about someone else having control over the software on my computer, even if that someone else can do a better job of it than I can. But I've come to realize that I would have downloaded and installed any updates that improve features and security as soon as they were available anyway, and have learned to embrace the Chrome update model.

  • Chrome OS isn't "virus-proof" but it's close. There are no viruses or malware that targets Chrome OS. That doesn't mean the platform is immune — every operating system has a long list of vulnerabilities — but right now nobody is targeting Chromebook users when it comes to malware attacks. That could change, and if it does, Google can quickly identify the problem and push a fix to every single user that will be installed the next time they log in. We always tend to think of how Google uses our data and how they can track so much of it, but it's also important to remember that some of the best security professionals in the world work there and they have a real commitment to keeping every product secure.

Think your Chromebook is prone to viruses? Think again.

  • Everything has its own sandbox. The Linux kernel is very good at separating individual processes from each other when they are being computed. Chrome leverages this and keeps each and every application and individual tab in the browser inside its own secure sandbox. That means they can't access any other app or the data from any other app directly and have to use the properly secured methods to share anything. This has proven over time (iOS and Android were built on this model) to be one of the best ways to prevent malware from getting a foothold on an account or system and older operating systems like Windows and macOS are in the process of doing the same.
  • Your Chromebook can't boot an "infected" system. Chrome uses what's known as Verified Boot to make sure the system files haven't been tampered with. When it's powering on, your Chromebook checks to make sure the system files are exactly the same as what Google originally sent to you the last time you updated. If they aren't, a backup copy that is will be used to boot the system instead. This means that if someone does write malware that targets Chrome, you stumble across it and it somehow gets out of the sandbox it was contained in, it gets thrown out with the bathwater the next time you log in.
  • Chromebooks are simple to erase and recover. This layered approach means it's very hard for anything to go wrong on your Chromebook when it comes to local security. But if somehow it were to happen, it can be easily fixed by wiping everything off your Chromebook and starting over. Everything in this case actually means everything, because the storage itself is erased and a fresh version of Chrome is downloaded and installed. The directions vary a little based on the hardware used, but generally a simple key combination will reboot into a recovery mode where simple instructions will tell you how to erase and restore everything.

Your account data is stored in the cloud, and after doing this you simply log in and pick up where you left off. Locally stored files will be erased, so it's always a great idea to use Google Drive and its tight integration into Chrome to keep all your important files backed up, too.

Google's work with the security of your account and cloud storage benefits you no matter which operating system or laptop you use. But when it comes to Chromebooks, the company goes the extra mile to keep others out of your stuff.

Windows-powered and Apple computers are also getting much better at security, and it's nice to know that the companies who make the things we use want us to be safer from online attacks. But if you want the most secure operating system you can get without configuring it yourself, a Chromebook has your back.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

  • I really want a pixel book or a pixel book 2 if they decide to come out with one. I had a MacBook pro and did not like it plus the keyboard always had issues.
  • Check out your local bestbuy to see if they still have their clearance going! I got the $1100 Pixelbook for $700 AFTER taxes. Otherwise there will be sales in the near future 😊
  • I wonder what is the value of all of this security if you're basically giving all control over to a 3rd party. Sure, Windows computers are susceptible to spyware and viruses that can take control of the computer. Chrome OS has built-in spyware, and Google holds all the keys to the hardware from the get-go -- no virus needed. I'm not sure which is the better model. (I understand that Windows 10 also has built-in spyware.)
  • What would your ideal situation look like?
  • I'd like to see sites like this be critical of the companies that they cover, rather than mere apologists. Half of the stuff on Android Central reads like unpaid advertorial. If Chrome OS activated the web cam every 30 seconds and sent a picture back to Google and called it a security feature that detects unauthorized use, there'd be someone here saying that they struck the right balance between security and privacy because it's not like they're doing it every 15 seconds.
  • That wasn't the question.
  • ChromeOS does not have built in spy ware. For me I much prefer Google keeps things up to date and secure. Google WiFi is similar. Love they take care of things and then when you have stuff like this major router vulnerability which effects most other routers you have nothing to worry about as Google is taking care of it. Case in point the Google WiFi router users were not effected by the vulnerability. Do you also think Google WiFi is spy ware? Is the Google or Amazon cloud?
  • You answered your own question with that parenthetical...
  • Haha
  • Sigh... when you are trying to quantify things, you *really* want to spell out your measurement methodology. For example: "since Chrome OS keeps 1,000 times less local data then Windows, local data security is 1,000 times better on the former than on the latter".
  • I would expect Google to switch the kernel used with ChromeOS to using the fuchsia kernel which is Zircon and would be a lot more secure. They will continue to support gnu/Linux like they are doing today on CBs with a VM. That will still work and Google already has it working with Fuchsia if you use the alpha version on a Pixel Book. But this approach will break Crouton. They also have to finish getting the Android runtime running on Fuchsia or they can do Android with a VM. It will be transparent to users. Will be interesting to see what they call it and if just leave calling it ChromeOS.
  • Do you even need crouton anymore with Chromebooks gaining the ability to run Linux apps?
  • It would be nice if they were able to get the next OS, whatever they call it, to support Linux utils and middleware natively or build a compiler that could xlate them to the new kernel and userspace utils. They are building from the ground up so it's possible, but yes I know its probably very difficult and not very likely to happen. But I can dream, right?
  • What's this about purple salad toppings? Keep the comments relevant to the conversation, please.
  • Always enjoy your articles Jerry...almost as much as I love my Chromebook :)
  • I understand that its possible to run chrome OS on a PC. Im so ready to try this. I get bombarded with mall crap alot and windows 10 is just really annoying.. https://www.howtogeek.com/217659/how-to-get-a-chrome-os-like-operating-s...
  • I'm going to check that out
  • I have always liked the Google Pixelbooks, they look really nice.
  • I recently bought a used Asus Chromebook off ebay for £130. Runs android apps. Great battery life. Boots in 10 seconds or less. I have been using it instead of my MacBook Air. Love how light it is. Can fold back on its hinges and be used like a tablet. Only 10 inches as well. Really happy with Chrome OS for the kind of things I use it for.
  • I own 2 devices: my gaming rig running Win10 and my Pixel 2 XL. My family uses Chromebooks, and now with Linux app support (and Android apps) I'm ready to make the leap once and for all. No more Windoze for me :)
  • > I own 2 devices: my gaming rig running Win10 Make sure to share your experience replacing Windows gaming rig with Chromebook.
  • Lol
  • Nice little machines.
  • Google locks boot image to a hardware token . That is the key to being so secure.