About AppTotal

AppTotal automatically and reactively scans OAuth applications from different SaaS platforms (e.g. Azure/Office 365, Google Workspace, Slack) and produces a quantified risk score for each app based on dozens of features. These features include permissions, configuration, app activity, app resources, and much more.

Organizations and security researchers use AppTotal to assess OAuth apps they have connected or would like to connect to their SaaS platforms.

Who developed AppTotal?

Canonic Security is a business applications security platform that helps companies control and manage third-party apps, add-ons, and other platform-native integrations. We let employees connect the apps & integrations they want to IT-approved applications while giving insight into app access and vulnerability intelligence.

How do I contact with AppTotal for questions or other requests?

Just send an email to [email protected].

How do I get a report for an OAuth app?

In the search box on the AppTotal home page, you can simply type in the client ID of the OAuth app you’re looking for, or start typing the app name.

How do I find my connected OAuth apps?

Consent pages

You can find the client ID of an OAuth app in the consent page URL. In the URL, look for the client_id parameter, and submit it to AppTotal.

Google

On Google Admin Console, go to App Access Control. There you'll find all the authorized OAuth apps and their client IDs.

On your Gmail mailbox, you can find apps accessed your Gmail mailbox, scroll to the bottom of the page, and click the “Details” button.

Microsoft

On the Azure portal, go to Enterprise applications. In there you'll find all the connected apps. On Azure, they refer to client ID as “Application ID” / “appId”.

Slack

On the Slack marketplace, you can find the app ID in the app page URL. On AppTotal, you can simply search by the app name.

App Report Explained

Overview

Canonic Verified

App and publisher authenticity verification process made proactively by Canonic Security's app intelligence team.

Note: A Canonic verified app can still be malicious or pose a risk due to compromised publisher, vulnerabilities and over privileged permissions.

Publisher

The app’s developer can be either an individual or an organization.

Client ID

The public identifier for OAuth apps, a unique ID across tenants.

Category

The app’s category as specified in the marketplace, the developer, or by AppTotal review.

Type

The app client type as registered on the platform, usually this one is an optional configuration. A type can be a web app, mobile, browser extension.

Tags

Whether the app is 3rd/1st party and other metadata tags.

  • First-party - apps represent native services owned by the SaaS provider. For example, Google Drive, Gmail, Microsoft SharePoint, and Exchange are first-party apps and have a unique client ID assigned by the SaaS provider.
  • Third-party - apps registered by a vendor other than the SaaS provider. Usually, these apps are publicly available to anyone.
  • Internal app - apps registered for internal use and integration, available only to users within the tenant it was registered. Mainly used for automation within the SaaS environment and integrations with internal systems.

Platform Verified

Whether the app went through the platform’s (e.g. Google, Microsoft, Slack) publisher verification process.

Summary

App Risk

App's risk score is calculated based on its permissions, severity of its findings, and its publisher rating.

Risks

Risks comprised of security posture findings and risk indicators.

Permission Level

Permission level is determined by the app's requested scopes, based on the scope's operation (e.g. read/write) and the affected resources (e.g., Gmail, OneDrive, Teams).

Sandbox

API Calls

The app’s API activity as recorded by our sandbox.

IP Addresses

The IP addresses that API activity was originated from.

Redirect URLs

The apps’ redirect URLs as registered during the app registration.

Permissions

Access Types

Sign-inAccountSystemData
Apps that have no other access other than signing in on behalf of the authorized userApps that have access to a user's account dataApps that may read or edit system configuration or platform settingsApps that have access to anything that the authorized user has access to

Permissions

The OAuth permission scopes as seen requested by the app, their description according to the SaaS platform, and their severity (low/med/high) according to the affected service/resource (e.g. Gmail, OneDrive, Teams) and the operation (read/write).

Compliance

Privacy policy

The privacy policy URL as registered during the app registration. This is usually optional on app registration.

Terms of service

The terms of service URL as registered during the app registration. This is usually optional on app registration.

Certifications

The app developer compliance certificates according to the publisher declaration.

Data retention

The app developer data retention policy as mentioned in the legal documents.

Risks

Risks

Detailed list of findings and risk indicators. Findings are security posture issues identified on the analyzed app. Issues related to security posture include bad security practices in app configurations, as well as vulnerabilities in app-related assets. Risk indicators are properties of the app that affect its risk score, but do not always indicate whether or not the app is malicious.

Threat Insights

Threat intelligence insights collected by Canonic Security’s app intelligence.