The Rise of Embedded Apps and Their Security Risks
Mark rennie
Why we should be focusing on embedded app security
Embedded applications have become…well… embedded within our daily working life. Running inside host collaboration platforms like Microsoft Teams and Slack, you will know them under their brand names, the project management tool Trello and communications platform 3CX are two prime examples.
Functioning as a miniature browser frame or isolated window they run within the main application itself. The reason embedded app security should be stealing your attention right now is because they are quietly and quickly expanding attack surfaces for four very good reasons:
1) These apps are an attractive proposition to users. They are incredibly helpful and save many people many hours across their working week.
2) They are heavily marketed. This combined with word-of-mouth means they can attract a large following and user count very quickly.
3) They can be installed with little friction and at no cost, and there is currently no robust native process to physically prevent installation at scale.
4) They bring their own authentication, demand their own permissions, and call their own domains, essentially playing by their own rules.
The above, combined with their lightness and embedded nature means they often slip through the usual security checks that would be applied to a full desktop or web application.
The Microsoft ‘Tiered App Trust Model’
Microsoft run this model as a useful signal to security teams against issues like obvious malicious intent for embedded app security However, this does not surface the major sources of day-to-day operational risks; misconfiguration, insecure patterns, or poor maintenance by vendors.
1. Office 365 apps
Microsoft Teams integrates with all the major Office 365 apps; Word, Excel, PowerPoint, and OneNote, allowing users to collaborate on documents in real-time, without having to switch between apps.
2. Other Microsoft apps
In addition to Office 365 apps, Teams also integrates with other Microsoft apps such as Dynamics 365, and SharePoint, allowing users to access data and insights from within Teams.
3. Third-party apps
Microsoft Teams also integrates with hundreds of well-known third-party apps like Trello and DocuSign. These integrations allow users to access all their important tools and services directly within Teams, without having to switch between apps.
4. Custom apps
Finally, Microsoft Teams also supports custom app integrations, meaning businesses can develop their own custom apps and integrate them directly into Teams, providing a tailored collaboration experience that meets their specific needs.
A great way to think about embedded app security is like an electrician who is accredited by the National Inspection Council of Electric Installation. (In our world this is the Microsoft tiering trust badge). They may have passed all their exams, but human error will never completely go away, and the electrician can still install a faulty fuse box. The same applies to embedded mobile app security; the goal is not to find bad actors, it is to surface the errors, faults, and vulnerabilities that could impact future operations.
OpenGates: How Vambrace ensures embedded app security within Microsoft Teams and Slack
Every app installation means a new set of data pathways and new permissions being requested. Security teams are often blind to this and there is no ‘standardised best practice’ to vet the configuration of every app.
Even some of the biggest and most popular embedded applications on the market are not built from scratch. They utilise a plethora of third-party libraries and existing frameworks to save time, so it is important to ensure the third-party components of embedded applications are up-to-date and securely implemented, reducing the risk of introducing an insecure app with inherited weaknesses into your environment.
Enter OpenGates, our embedded app security service that ingests and evaluates app manifests (the apps’ origins and rule book rolled into one) and informs security teams with actionable insight into the permissions an embedded app needs, the external domains it calls, and how it operates. We take this rule book and apply a layered risk assessment, which crucially can be applied at scale and covers:
1. Manifest and configuration analysis
- Every URL and domain the embedded application is calling is vetted with domain intelligence and location / contextual checks to ensure the external destinations are themselves secure and not based in regions that may violate data protection policies.
2.Insecure data handling
- We look for sensitive parameters being exposed via query strings in the URL (the part of the address after the domain name). Information in a query string is logged everywhere; in browser histories, server logs, and network proxies, having plaintext email addresses visible here is a security risk.
3.Permission scope alignment
- Does the embedded app really need all the permissions it is asking for, or is it overreaching? For example, a notetaker application does not need to access files stored across your 365 environment. All this is doing is unnecessarily expanding your attack surface.
- Our AI assisted reasoning is used to judge whether the notetaker app used in this example is displaying anomalous behaviour. For example, if it is asking for access to a laptops microphone, this fits the behaviour expected for its purpose. However, if it starts asking for a users’ geo location or personal information such as their phone number that will be flagged as a risk.
4.Continuous monitoring
- OpenGates will perpetually look for changes in the current Teams’ app model, supporting policy updates and rules evolution. Vambrace also conduct our own on-going research of the whole space, meaning that as the model evolves so does our monitoring.
- OpenGates’ findings and insights are presented on a unified dashboard where teams can track the apps in use and understand their real-time risk posture
The value of embedded app security and how to get started
Many organisations are still in the very early stages of understanding just how significant the real-world threats are from these small embedded applications.
The risks we detect typically come from misconfiguration, neglected vendor components, and poor data handling, rather than outright malicious behaviour or from a sophisticated zero days attack.
While we cannot block embedded application installation directly within Teams, with millions of these apps available, automated monitoring is essential. OpenGates will surface issues that need to be addressed far quicker than any manual process could ever achieve, supporting policy guidance, and oversight to prevent potential attackers from leveraging embedded applications in the future.
How to get started with OpenGates embedded app security
To arrange your OpenGates demo please click this link and complete our form and a member of the team will be in touch very soon.
Once the demo is complete we can also offer a FREE proof on concept that look at a broad cross section of your existing embedded applications with no need to provide us with access to your M365 environment, or even spend time on a scoping call.
Key features of OpenGates, Vambraces’ embedded app security service
- Rapid discovery and risk scoring of installed embedded apps within Teams.
- Deep configuration analysis of manifests, URL scopes, and permissions.
- Identification of insecure data exchanges
- Clear, human-readable risk narratives tailored to app purpose and business context.
- Actionable recommendations for configuration changes, usage restrictions, and policy templates.
- A dashboard with everything you need to see the risks emerging from your embedded application inventory.
0330 460 4633
Speak to an embedded app security expert
Ready to get a faster, clearer, and simpler view of your embedded app security?
Whether you need help with a project, or just some quick advice, our team of experienced cybersecurity experts are here for you. Simply complete the form, or give us a call on 0330 460 4633 to start a conversation.