Security recommendations for approving apps

Slack is at its most powerful when you connect it to tools you already use. With your permission, apps and integrations can access your workspace’s information to help you automate tasks and get work done. 

To make your data more secure, it’s important to understand how apps work with Slack. That way you can come up with a policy for reviewing and approving integrated tools. 

1. Get to know apps for Slack

By default, members can install any app from the Slack App Directory or build internal integrations to fit your company's needs. Depending on your security preferences, Workspace Owners can control how apps are installed, and by whom.

Whether you're looking to use an existing service like Google Drive or Dropbox, or build your own, we've got a few resources to show you how to install and create the apps you need.

📒 Learn about apps and the App Directory
⚙️ Add an app to your workspace
🛠 Customise Slack with internal integrations

2. Understand app permissions

All apps in our App Directory have a unique set of permissions, called scopes, that tell you what information the app can access and how that information can be used. Generally speaking, an app will ask permission to do the following:

  • Post information
  • Perform actions 
  • Access information 

An app's full set of permissions are listed when the app is installed. You can find a detailed list of scopes in our API documentation.

Note: For a list of a specific app’s scopes and permissions, click on the App permissions tab in the App Directory. You’ll find a description of what each scope allows the app to access in your workspace.

3. Enable app approval settings 

Workspace Owners can enable the Approve apps setting for a workspace to control how and what is installed.

🎛 Control which apps can be installed

Workspace Owners can control exactly which apps get installed by creating lists of approved and restricted apps. In the App Directory, members will clearly see which apps are approved for the workspace, which apps need approval and which apps are not allowed. 

👨‍✈️ Decide who can manage apps and integrations

By default, only Workspace Owners can manage apps. With the Approve apps setting turned on, Owners can allow selected members to manage approved apps and respond to app installation requests.

Turn on app approval

  1. From your desktop, click your workspace name in the top left.
  2. Select Administration from the menu, then click Manage apps.
  3. Select Permissions from the left-hand menu.
  4. Toggle on Approve apps.

Tip: For apps that require approval, set expectations with your team by letting them know how long it’ll take to review their app requests.

4. Develop an approval policy

Whether members are requesting apps or installing them as needed, protect your workspace by developing an app approval policy aided by your IT, security and policy teams.

Carefully consider internal protocols relating to data management to devise a policy that feels right for your team. Here are some questions to include in your review: 

Installing apps

  • Is there a valid business reason for using the app?
  • Are other apps being used for this purpose?
  • How long will the app be needed in the workspace?
  • What is the app’s privacy policy?
  • How often will the app post to a channel?
  • Are there any additional costs or licences?

Creating internal integrations

  • Who will maintain the integration?
  • Are additional servers, databases or integrations needed?
  • Does the app use token validation?
  • Is data encrypted at rest?
  • Is TLS being used to encrypt traffic?
  • Have the OWASP Top 10 Application Security Risks been reviewed?

Note: Even though we review all apps in our App Directory, including their requested permissions, Slack doesn‘t endorse or certify these apps. We recommend that you only install tools that you trust.

Learn more about apps

The Slack API has everything you need and more to learn about what goes into building an app. Take a look at our blog for more inspiration on how to make apps work for your team.