Sometime back i was involved in audit of a app for chrome netbook. While doing that i did some analysis on the security of Chrome Netbook(Cr-48). Summarizing my findings here.
1. At a time only one user can be logged on.
2. All users browser session runs under one UNIX user “chronous”.
3. Users data is encrypted using keys derived from the login session info.
4. User is given direct access permission only to /home/chronos/user/Downloads/ folder.
a. Users downloads go into this folder.
b. Users encrypted data is mounted under this folder /home/chronos/user/
5. Following data is stored separately for each and every user.
e. Local Storage
f. Pepper Data (flash local data.)
g. Sync Data
i. Login Data
6. There is no way one user can modify the data of another user (locally).
7. “shell” access is given only in DEV mode. Otherwise all you have is the browser.
8. Chrome “extensions” are given special permission.
a. notifications, unlimitedStorage , geolocation , tabs,
b. It can work across domain. (Something not allowed in browser.)