Security recommendations for approving apps

Slack is most powerful when you connect it to tools that you already use. With your permission, apps and integrations can access your workspace's information to help you automate tasks and get work done. 

To better secure your data, it’s important to understand how apps work with Slack. That way, you can determine a policy for reviewing and approving integrated tools. 

1. Get to know apps for Slack

By default, members can install any app from the Slack App Directory or build internal integrations to fit your company's needs. Depending on your security preferences, workspace owners can control how apps are installed, and by whom.

Whether you’re looking to use an existing service like Google Drive or Dropbox, or build your own, we’ve got a few resources to show you how to install and create the apps you need.

📒 Learn about apps and the App Directory
⚙️ Add an app to your workspace
🛠 Customise Slack with internal integrations

2. Understand app permissions

All apps in our App Directory have a unique set of permissions, called scopes, that tell you what information the app can access and how that information can be used. Generally, an app will ask permission to do the following:

  • Post information
  • Perform actions 
  • Access information 

An app's full set of permissions are listed when the app is installed. You can find a detailed list of scopes in our API documentation.

Tip: Some developers submit detailed information about their security and compliance practices to us. If available, you can see that info in the Security & compliance tab on an app’s page in the App Directory.

3. Enable app approval settings 

Workspace owners can enable the Approve apps setting for a workspace to control how and what is installed.

🎛 Control which apps can be installed

Workspace owners can control exactly which apps get installed by creating lists of approved and restricted apps. In the App Directory, members will clearly see which apps are approved for the workspace, which apps need approval and which apps are not allowed. 

👨‍✈️ Decide who can manage apps and integrations

By default, only workspace owners can manage apps. With the Approve apps setting turned on, owners can allow selected members to manage approved apps and respond to app installation requests.

Turn on app approval

  1. From your desktop, click your workspace name in the sidebar.
  2. Select Tools & settings from the menu, then click Manage apps.
  3. Click App management settings in the left sidebar.
  4. Toggle on Approve apps.

Tip: For apps that require approval, set expectations with your team by letting them know how long it’ll take to review their app requests.

4. Develop an approval policy

Whether members are requesting apps or installing them as needed, protect your workspace by developing an app approval policy aided by your IT, security and policy teams.

Carefully consider internal protocols around data management to craft a policy that feels right for your team. Here are some questions to include in your review: 

Installing apps

  • Is there a valid business reason for using the app?
  • Are other apps being used for this purpose?
  • How long will the app be needed in the workspace?
  • What is the app’s privacy policy?
  • How often will the app post to a channel?
  • Are there any additional costs or licences?

Creating internal integrations

  • Who will maintain the integration?
  • Are additional servers, databases or integrations needed?
  • Does the app use token validation?
  • Is data encrypted at rest?
  • Is TLS being used to encrypt traffic?
  • Have the OWASP Top ten application security risks been reviewed?

Note: Though we review all apps in our App Directory, including their requested permissions, Slack doesn't endorse or certify these apps. We recommend that you only install tools that you trust.

Learn more about apps

The Slack API has everything that you need and more to learn about what goes into building an app. Check out our blog for more inspiration on how to make apps work for your team.