It’s been a few months since we launched the AppTotal Community and thousands of security engineers have already had a chance to see what it would mean for vetting and analyzing OAuth apps: what used to be a manual & tedious process could now be done in minutes.
Right off the start, it was apparent how programmatic access to AppTotal could fuel custom vetting workflows as well as drive investigation & assessment whenever non-human identities in cloud directories were involved. Being a fairly small team chasing third-party apps security weaknesses — we decided to wait until we could no longer stand the pressure from other builders to support a native API experience.
I’m excited to say we could no longer support manual uploading of OAuth client-id lists and decided it was time for a public and premium API :)
Why AppTotal API?
Assessment. So you just saw an app in your directory (say Azure AD), with a funny name (say “Email”), excessive and outdated permissions (say EWS.*) and no recent apparent activity — curious to learn if its one of the 100+ apps that come enabled with 365, a persistence trick or an app developer who couldn’t bother with a more creative name — you go for your last resort and paste its client-id in AppTotal (try that if you haven’t!).
Now, what if you were looking at a whole directory of apps, in the midst of an IR or a vulnerability assessment, trying to map thousands of apps and get at least some sense of a direction to focus on?
Pre-vetting. You got a Jira ticket, or a slack message, about someone who wanted to connect Bluemail to your corporate email provider and was either blocked or, being a responsible employee, wanted to see if it fits the organization’s security policy before connecting it to your environment. You could streamline Bluemail thru your vendor/third-party assessment process (try that for thousands of apps), you could try and connect/install Bluemail and research its activities, review its policies, assess its permissions (try that too) or… you could get your own low-code Slack bot to submit Bluemail to AppTotal and learn that, unlike other third-party email clients — it doesn’t actually extract email contents out of your mailbox to its own cloud servers to support operations.
Enrichment. Your security analytics already collects third-party apps and non-human identities telemetry from your Atlassian and Salesforce tenants (of course it does!) — but what context do you have for these apps? Ok, none of our security telemetry has any context you say… but wouldn’t it be great if apps did? Think triaging thousands of irrelevant alerts in minutes….
Got another use case? Want to integrate AppTotal API into your workflow or product? apptotal@canonic.security
How it works
Got apps?
The AppTotal API has two methods:
Get app info - Search AppTotal by client ID
curl --request GET \
--url 'https://api.canonic.security/v1/apps/app?client_id=your-client-id' \
--header 'Accept: application/json'If the app has previously been sandboxed, AppTotal will return the results in a response similar to this:
{
"name": "Yet Another Mail Merge",
"publisher": {
"name": "Talarian",
"siteUrl": "https://talarian.io"
},
"platform": "Google Workspace",
"description": "Send mass personalized emails with Gmail. Track engagement in Google Sheets. Follow up.",
"redirectUrls": ["https://script.google.com/oauthcallback"],
"categories": [
"Communication",
"Mail Client "
],
"tags": [
"3rd Party"
],
"permissionLevel": 10,
"risk": "HIGH",
"clientId": "52669349336.apps.googleusercontent.com",
"permissions": [
{
"scope": "https://www.googleapis.com/auth/drive.readonly",
"service": "Drive and Docs",
"description": "Allows read-only access to file metadata and file content.",
"accessType": "Broad Data Access"
},
{
"scope": "https://www.googleapis.com/auth/gmail.settings.sharing",
"service": "Gmail",
"description": "Manage sensitive mail settings, including forwarding rules and aliases. Note:Operations guarded by this scope are restricted to administrative use only. They are only available to Google Workspace customers using a service account with domain-wide delegation.",
"accessType": "Account Access"
},
{
"scope": "https://www.googleapis.com/auth/gmail.readonly",
"service": "Gmail",
"description": "Read all resources and their metadata—no write operations.",
"accessType": "Account Access"
{
],
"compliance": [
"GDPR",
"CCPA",
"ISO 27001"
],
"dataRetention": null,
"logoUrl": "https://lh3.googleusercontent.com/-Ukj6uQxManI/X-SZhjujNUI/AAAAAAAAA4k/FgLNb58ILfQ0EeHZdeymlY0t4iD0kgHAwCLcBGAsYHQ/s400/GWM%2B-%2BLogo%2B128x128.png",
"privacyPolicyUrl": "https://yamm.com/privacy-policy",
"termsOfServiceUrl": "https://yamm.com/terms-of-service",
"marketplaceUrl": "https://workspace.google.com/marketplace/app/yet_another_mail_merge_mail_merge_for_gm/52669349336",
"platformVerified": true,
"clientType": "Web App",
"developerEmail": "awg-oauth-support@addonsforgapps.com",
"consentScreenshot": "https://sightd-production-public-assets.s3.amazonaws.com/consent-screen-images/222809313844178962335488119774985574943.png",
"ipAddresses": [
"107.178.193.28",
"107.178.193.10",
],
"apiActivities": [
{
"operationType": "sheets.spreadsheets.get",
"percentage": 0.02
},
{
"operationType": "gmail.users.history.list",
"percentage": 0.08
},
{
"operationType": "gmail.users.messages.list",
"percentage": 0.06
},
]
}Submit an app for analysis -
App wasn't previously sandboxed (or you want it reassessed)
The following submits an application for analysis in the AppTotal Sandbox.
curl --request POST \
--url https://api.canonic.security/v1/apps/app \
--header 'Content-Type: application/json' \
--data '{"clientId": "your-client-id"}'Licensing
AppTotal API is available in community and premium versions – check out the link below to learn what each offer, get your own token and start experimenting! An API explorer is available here
