Skip to Content
04 July, 2026

Shopify App Permissions: Auditing What Third Parties Can See

Shopify App Permissions: Auditing What Third Parties Can See

Table of Content

A Brisbane apparel brand asked us to look at their Shopify store after a marketing tool started behaving oddly. When we opened the apps page, there were twenty seven installed apps. The team could account for nine. The rest were leftovers from old campaigns, a previous agency, a trial that nobody remembered, and one app installed by an ex contractor that had never been removed. Three of them still had read access to the entire customer list. One could write to orders. The marketing tool that prompted the audit turned out to be fine. The eighteen forgotten apps were a quiet liability nobody had thought about.

App permissions are one of the most overlooked corners of Shopify security. Every app you install asks for scopes, those scopes accumulate, and the risk grows with the count. This article walks through how to audit your app permissions properly, what to look for, and how to set a review cadence so the situation does not drift again.

How Shopify app permissions actually work

When you install an app, it requests access to certain API scopes. The standard categories include products, orders, customers, draft orders, fulfilments, inventory, themes, scripts, and several dozen more. Each scope has read and write variants. The install dialog lists the scopes and asks you to approve them. Most people scroll past and click install.

Once approved, the app holds an access token that lets it call Shopify’s API at any time, from its own infrastructure, until you uninstall it or rotate the token. The app developer’s servers can read whatever the scopes allow, whenever they like. If the app developer is breached, your data goes with them. If the app developer sells the business, the new owner inherits the access.

Why this matters more than people think

There have been multiple incidents in the Shopify app ecosystem where apps were breached, sold, or quietly updated to exfiltrate data. In one well documented case in 2024, an analytics app pushed an update that started sending customer email lists to a server outside its normal infrastructure. Stores that had granted it customer read access lost their lists. The merchants who had taken the time to review their app permissions caught it within hours. The ones who had not took weeks.

This is not a theoretical risk. It is the same dynamic as a browser extension supply chain attack, applied to your store.

The audit, step by step

Block out an hour and work through this process. It is the same process we run as part of a paid audit, just with fewer fancy tools.

Step 1: list every installed app

Open the Apps and sales channels page in your Shopify admin. You should see public apps, custom apps and any private apps. Make a list. A simple spreadsheet works.

Step 2: identify the owner of each app

For each app, write down which team or person actually uses it. If you cannot find anyone who uses it, flag it. The forgotten apps are usually the riskiest because nobody is watching them.

Step 3: review the permissions

Click into each app and look at the access it has. Shopify shows you the scopes granted. Pay particular attention to:

  • Customer read access (PII risk).
  • Order read access (financial and behavioural data).
  • Theme write access (could modify your storefront).
  • Script tag access (could inject JavaScript).
  • Settings write access (could change critical store settings).

If an app has scopes that go beyond what it needs to do its job, that is a red flag. A review app does not need write access to your themes. A shipping app does not need to read your customer list.

Step 4: vet the developer

For apps you are keeping, look up the developer. The Shopify App Store shows the developer name, support contact, privacy policy and review history. A small developer with no reviews and a generic support email is a higher risk than a well known agency or a long established app. That does not mean small developers are bad, but it does mean you should hold their data handling to a higher standard if you keep them installed.

Step 5: uninstall the dead weight

For every app you cannot justify, uninstall it. Shopify revokes the access token when you uninstall, so the app loses its access immediately. Be aware that some apps leave behind script tags, metafields or theme code after uninstall, so check your theme and your stored data afterwards.

Step 6: document the remaining apps

Keep your spreadsheet. For each app you kept, note the owner, the purpose, the scopes, the renewal date and the developer. This document becomes your reference for the next audit and your starting point if anything goes wrong.

The categories that need extra scrutiny

Some app categories carry more risk than others because of what they touch.

  • Marketing and email apps: typically have full customer read access and often store copies of your list on their own servers. Pick mature providers with clear data handling commitments.
  • Personalisation and pop up apps: often inject scripts into your store, which means they can in theory read anything on the page. Be selective.
  • Reporting and analytics apps: usually have broad read access to orders and customers. Concentrate this in one trusted provider rather than spreading across several.
  • Bulk editors and import tools: often have write access to products, collections and orders. Useful for the work, but a mistake or a breach has wide blast radius.

Custom and private apps

Custom apps that you or your agency built deserve the same scrutiny. The access tokens they hold are just as powerful as any third party app, and they often sit in scripts on servers you control. Rotate the tokens periodically. Store them in a secrets manager, not in a file checked into version control. When a developer leaves the team, treat their tokens like any other credential.

Setting a review cadence

One audit is good. A repeating audit is much better. We recommend quarterly for most stores, monthly for high traffic merchants or any store handling sensitive categories. The quarterly review is short: re open the app list, check for new installs you did not approve, and confirm the existing apps still need their current scopes.

The trigger for an immediate audit, outside the schedule, is any of the following: a staff member leaves, an agency engagement ends, a major store change happens (replatform, theme rebuild, payment provider change), or an app you use is in the news for the wrong reasons.

Common mistakes

  • Approving the upgrade dialog without reading: when an app updates its scopes, Shopify shows you the new ones. Read them. If a calculator app suddenly asks for customer write access, decline and find out why.
  • Installing apps in test stores and forgetting: those stores still have data. Audit them too.
  • Trusting reviews alone: apps can have thousands of good reviews and still be breached. Reviews tell you about the customer experience, not the security posture.
  • Skipping privacy policies: a one minute skim of the privacy policy will tell you whether the app stores copies of your data, where it is held, and how it is secured.

A 60 minute action plan

  • List every installed app on your store.
  • For each one, identify the owner, purpose and scopes.
  • Uninstall anything unused or unowned.
  • For the apps that remain, confirm the scopes match the actual need.
  • Document the lot and put a quarterly reminder in your calendar.

Where Defyn fits in

App audits are a regular part of the Shopify reviews we run for Sydney and interstate merchants. We also pair app audits with performance work like Shopify app audit performance reviews because removing dead apps often improves your storefront speed at the same time. If you want a structured review with documented findings and remediation, take a look at our Sydney web development services or start a project. Our audit and support retainer keeps app reviews on a quarterly cycle so the count never gets away from you again.

Insights

The latest from our knowledge base