About AppTotal
AppTotal automatically and reactively scans OAuth applications from different SaaS platforms (e.g. Azure/Office 365, Google Workspace, Slack) and produces a quantified risk score for each app based on dozens of features. These features include permissions, configuration, app activity, app resources, and much more.
Organizations and security researchers use AppTotal to assess OAuth apps they have connected or would like to connect to their SaaS platforms.
Who developed AppTotal?
Canonic Security is a business applications security platform that helps companies control and manage third-party apps, add-ons, and other platform-native integrations. We let employees connect the apps & integrations they want to IT-approved applications while giving insight into app access and vulnerability intelligence.
How do I contact with AppTotal for questions or other requests?
Just send an email to [email protected].
How do I get a report for an OAuth app?
In the search box on the AppTotal home page, you can simply type in the client ID of the OAuth app you’re looking for, or start typing the app name. Use the platform switcher for better search results.
How do I find my connected OAuth apps?
Consent pages
You can find the client ID of an OAuth app in the consent page URL. In the URL, look for the client_id parameter, and submit it to AppTotal.
Google
Microsoft
Slack
[How to find apps on Slack] (doc:how-to-find-apps-on-slack)
App Report Explained
Overview
Canonic Verified
App and publisher authenticity verification process made proactively by Canonic Security's app intelligence team.
Note: A Canonic verified app can still be malicious or pose a risk due to compromised publisher, vulnerabilities and over privileged permissions.
Publisher
The app’s developer can be either an individual or an organization.
Client ID
The public identifier for OAuth apps, a unique ID across tenants. Note that some platforms may called it in different name. For example, on Azure it called Application ID.
Category
The app’s category as specified in the marketplace, by the developer, or by AppTotal classification.
Type
The app client type as registered on the platform, usually this one is an optional configuration. A type can be a web app, mobile, browser extension, device.
Tags
Whether the app is 3rd/1st party and other metadata tags.
- First-party - apps represent native services owned by the SaaS provider. For example, Google Drive, Gmail, Microsoft SharePoint, and Exchange are first-party apps and have a unique client ID assigned by the SaaS provider.
- Third-party - apps registered by a vendor other than the SaaS provider. Usually, these apps are publicly available to anyone.
- Internal app - apps registered for internal use and integration, available only to users within the tenant it was registered. Mainly used for automation within the SaaS environment and integrations with internal systems.
Platform Verified
Whether the app went through the platform’s (e.g. Google, Microsoft, Slack) publisher verification process. Note that this process is required for very specific cases therefor most apps aren't submitted for review by the SaaS provider.
Summary
App Risk
App's risk score is calculated based on its permissions, severity of its security risks, and its publisher rating.
Risks
Risks comprised of security posture findings and risk indicators.
Permission Level
Permission level is determined by the app's requested scopes, based on the scope's operation (e.g. read/write) and the affected resources (e.g., Gmail, OneDrive, Teams).
Sandbox
API Calls
App's API activity as recorded by our SaaS sandbox.
IP Addresses
IP addresses that API activity was originated from.
Redirect URLs
App's redirect URLs as registered during the app registration.
Permissions
Access Types
| Sign-in | Account | System | Data |
|---|---|---|---|
| Apps that have no other access other than signing in on behalf of the authorized user | Apps that have access to a user's account data | Apps that may read or edit system configuration or platform settings | Apps that have access to anything that the authorized user has access to |
Permissions
The OAuth permission scopes as seen requested by the app, their description according to the SaaS platform, and their severity (low/med/high) according to the affected service/resource (e.g. Gmail, OneDrive, Teams) and the operation (read/write).
Compliance
Privacy policy
The privacy policy URL as registered during the app registration. This is usually optional on app registration.
Terms of service
The terms of service URL as registered during the app registration. This is usually optional on app registration.
Certifications
The app developer compliance certificates according to the publisher declaration.
Data retention
The app developer data retention policy as mentioned in the legal documents.
Risks
Risks
Detailed list of findings and risk indicators. Findings are security posture issues identified on the analyzed app. Issues related to security posture include bad security practices in app configurations, as well as vulnerabilities in app-related assets. Risk indicators are properties of the app that affect its risk score, but do not always indicate whether or not the app is malicious.
Threat Insights
Threat intelligence insights collected by Canonic Security’s app intelligence.
Updated about 1 year ago