Zoom Security Review Process for Applications on App Marketplace

The Zoom Marketplace Review Team has a dedicated review process before an application (app) gets published to the App Marketplace, inclusive of usability and security evaluations. Customers can embed the Zoom Meetings, Webinar, or Phone experience into existing apps and workflows, referred to as integrations, as well as use apps that are integrated into Zoom products and services, referred to as Zoom Apps. There are two types of apps on the Marketplace: 1st-party apps built by Zoom and 3rd-party apps built by 3rd-party developers.

This article provides IT administrators, managing their Zoom Account as a member of the IT organization, and Chief Information Security Officers an overview of user roles, their access to user data on the account, app permissions, and the data apps may access, with insights throughout on how the Zoom Security Review process evaluates all apps on the App Marketplace.

This article contains:

• How to understand account roles
  • Understanding app pre-approval
• How to understand different app types
  • Account-level apps
  • User-level apps
• How to understand app permissions, OAuth scopes, and end-user data
  • Understanding permissions
  • Understanding OAuth scopes
  • Understanding end-user data
  • Mapping OAuth scopes and permissions to app types and end-user data
• How to understand the app review process
  • Functionality, Usability, and Compliance Review
  • Security review
  • Post-launch app reviews

How to understand account roles

Firstly, it's important to understand the default roles a user on a Zoom Account can have. The following chart provides details on the relationship between the three default Zoom roles, permissions for those roles, and their applicability to the App Marketplace.

Learn how to identify your role in a Zoom Account.

Default Zoom Roles	Role Permissions	Role Permissions Related to the App Marketplace
Owner	Has all privileges, including role management.	Manage and install apps from the App Marketplace for the Zoom Account.
Admin	Has similar privileges to the Owner role, excluding role management. Admins can add, remove, or edit users, as well as access account settings and advanced features such as API, SSO, Meeting Connector, and App Marketplace.	Manage and install apps from the App Marketplace for the Zoom Account, as they have Marketplace role access by default. Admins can pre-approve apps for their account, allowing users to install the app if/when it's needed.
Member (Users)	Has no administrative privileges.	Manage and install apps from the App Marketplace for their own individual use (pre-approval by an admin may be required). If pre-approval is enabled, may request app approval from the admin. Have no administrative privileges. Generally referred to as users.

Note: Custom roles with varying levels of permissions are also possible, but none are created by default. Learn more about role management.

Developers must declare what Zoom data they need access to. The Zoom Marketplace Review Team will validate the reason for accessing this data before publishing the app to the App Marketplace. Both User-level apps and Account-level apps will prompt and ask for approval from the end user or Admin who is enabling the App. Users are given an opportunity to review the data scopes the App will have access to. Here is a list of scopes developers are able to declare.

Because Users are also able to delegate certain functionality to other Users on the same account (i.e., schedule meetings on behalf of), apps can also be given this same privilege and access to similar data. For more information about allowing apps access to shared permissions, see this article.

Understanding app pre-approval

Zoom admins and custom roles with Marketplace permissions have the ability to pre-approve which apps can be installed by individual Users, groups of Users, or all Users on the account.

This allows Admins to control which apps are immediately available for install by their users, while also fielding requests for other apps their users may want to use. After receiving a request from an end user, Admins may begin reviewing the app, its functionality, scopes, permissions, and more to determine if they want to allow this app to be installed by the requesting User and others on the account.

Learn more about how to pre-approve apps for an account.

How to understand different app types

Apps in the App Marketplace can be filtered, among other ways, by the User role required to install the app for use: Account admins and Any user. These correspond to Account-level apps and user-level apps, respectively.

Account-level apps

A Zoom Account Admin can authorize and deauthorize Zoom Account-level apps for all Users within the Zoom Account.

Account-level apps can:

• access Zoom APIs on behalf of any Zoom User within the same Zoom Account
• allow a Zoom Admin to manage data on behalf of Zoom Users within the same Zoom Account

An example of an Account–level app on the App Marketplace is LTI Pro.

For this example, we will focus on the Requirements. The Requirements for LTI Pro list Account Admins as the necessary User role for installing the app, as this app can only be installed for the entire account by an admin.

User-level apps

Individual Zoom users (non-admins, members) can authorize and deauthorize User-level apps, as long as the app has been pre-approved by an Admin.

User-level apps can:

• Access Zoom APIs and User data for the User that authorized access.
• Access Zoom APIs and User data for other Users they have shared access permissions for.

An example of a User-level app on the App Marketplace is Virtual Backgrounds. The Requirements for Virtual Backgrounds list Any user as the necessary User role for installing the app, as this app can be installed by any individual User on the account, if pre-approved by an Admin.

How to understand app permissions, OAuth scopes, and end-user data

Every App Marketplace listing displays a list of permissions and OAuth (data) scopes requested by the app. These provide context on what the app can access on your Zoom Account and actions the app can take on your behalf.

Understanding permissions

Every App Marketplace listing displays a list of permissions requested by the respective app, which directly corresponds to the OAuth scopes being requested by the app.

When you authorize an app, you grant the app corresponding permissions to view and/or manage specific data on your behalf.

Permissions vary, and we will review the App Marketplace listing for the Workday app as an example. The example for the Workday app shows read-only permissions.

Understanding OAuth scopes

Every App Marketplace listing displays a list of data scopes—specifically OAuth scopes—requested by the respective app. OAuth 2.0 is the industry-standard authorization protocol that allows applications to obtain requested access to user accounts over HTTPS with the user’s approval. Zoom uses OAuth to allow apps to make API requests and subscribe to webhook events for the user that granted these permissions. OAuth scopes provide a way to limit the amount of end-user data an app and its developer can access and/or edit.

Refer to a complete list of OAuth scopes, their descriptions, and the associated API calls that the app with permitted OAuth scope has access to.

OAuth Scopes vary, and we will review two different App Marketplace listings for context.

First, let’s review the Workday app. This is an account-level app that must be configured by an admin. This is an app used within Zoom Team Chat, so it requires access to user details (so it can match your current account with your Workday account) and the Zoom Team Chat tab of the Zoom desktop client, where users interact with the app.

Next, let’s review the App Marketplace listing for Virtual Backgrounds, with a focus on OAuth scopes. Because Virtual Backgrounds is an app that allows users in Zoom Meetings and Zoom Webinars to view and choose a new virtual background, this app requires access to the user’s in-meeting and in-webinar settings for the selected virtual background to be used.

Understanding end-user data

All data referenced here is end-user data, which is:

• Application data pertaining to the end user or others with whom they interacted through Zoom products.
• Any metadata that was collected, transmitted, created, or received from that end user through the app.

Returning to our Virtual Backgrounds and Workday app examples, end-user data in the context of the following possible permissions may include:

• Virtual Backgrounds - Product Usage: Information about how users and their devices interact with Zoom products, namely, which may include when participants join and leave a meeting or webinar, whether participants sent messages in the meeting and with whom, who the messages were sent to, performance data, and other usage information and metrics.
• Workday - Profile & Contact Information: username, display name, picture, email address, phone number, job information, stated locale, account, user ID, contact lists added by the Account or user (which may include contact information a user imports from a 3rd-party app), and other profile information.

Mapping OAuth scopes and permissions to app types and end-user data

This table is provided as an example to help you understand OAuth scope and permissions mapping. This is not an exhaustive mapping of every OAuth scope to every permission and end-user data field.

App Type	Requirement	OAuth Scope	Permission	End-user Data
User-level app	User role Any user	User user:read, user:write, user_info:read	Profile & Contact Information	User’s PMI, phone number, user zak token
User-level app	User role Any user	Recording recording:write, recording:read	Registration Information	Recording download URL, meeting UUID, play URL
Account-level app	User role Account admins	Meeting meeting:write:admin, meeting:read:admin	Participant Profile & Contact Information	Join link, meeting ID, host email, participant email
Account-level app	User role Account admins	Account account:write:admin	Account Settings	Account ID, owner email, vanity URL

Refer to a complete list of OAuth scopes, their descriptions, and the associated API calls that the app with permitted OAuth scope has access to.

How to understand the app review process

All apps listed on the App Marketplace undergo a dedicated review process before apps are published on the App Marketplace. The primary goals of the review process are to:

• Confirm that the app is ready for use by end users.
• Confirm that the app follows best practices for privacy and security to reduce risks to users.

This two-part review process helps the Zoom Marketplace Review Team assess what user data is accessed and how the app handles the requested user data.

Every app on the App Marketplace must pass this review process before it is available on the App Marketplace, and any issue raised to 1st-party or 3rd-party app developers as part of the review process must be addressed prior to publishing on the App Marketplace. Additionally, follow-up reviews may be necessary when an app is updated and would like to request additional scopes, abnormal API usage is detected, or there are security concerns.

Note: While Zoom owns and manages the apps developed by Zoom, Zoom does not own or manage the apps developed by 3rd-party app developers. Please reference each individual App Marketplace listing page for more information specific to using the app, installation requirements and support.

Functionality, Usability, and Compliance Review

The Zoom Marketplace Operations Team assesses all apps to help ensure only necessary OAuth scopes are being requested, and that the requests make functional, logical, and business sense for the apps. Each app listing includes resources provided by the developer, which are also evaluated to ensure end users can reference documentation and receive support from the developer should they need it.

App developers may be asked to remove unused OAuth scopes by the Zoom Marketplace Operations Team when performing a Functionality, Usability, and Compliance Review for the app.

Notes:

• Not every submitted app is published and passes the Functionality, Usability, and Compliance Review.
• Few apps pass this review on the first attempt.

Security review

The security review follows the Functionality, Usability, and Compliance Review. The Zoom Marketplace Security Review Team corroborates that only the required OAuth scopes are selected by the app to perform the intended functions. In this review, the Marketplace Security Review Team also assesses what end-user data is accessed by the app and how data acquired as a result of the requested OAuth scopes is handled by the app.

App developers may be asked to remove unused and/or misused OAuth scopes by the Marketplace Security Review Team when performing a security review for the app.

Notes:

• Not every submitted app passes the security review.
• Few apps pass this review on the first attempt.

This Security Review encompasses a multi-part review intended to maintain customer security, integrity, and resilience of the ecosystem as a whole.

As a part of the app submission process, Zoom requires a Technical Design Document (TDD) from the app developer. This document, provided as part of the developer app buildflow, tells Zoom how the app was built, what security measures the developer has in place, and how the app will use data collected from Zoom via OAuth Scopes. Here is a checklist of items we ask all developers to follow.

Submission of the TDD to Zoom is mandatory for all developers, 1st party and 3rd party, and Zoom reviews the TDD for every app listed on the App Marketplace, as well as every app approved for beta sharing outside the developer’s account.

Every app also undergoes a focused security test where the app is tested against the OWASP Top 10, a standard awareness document which provides developers and security professionals insight into the most prevalent security risks so as to minimize the presence of known risks in their applications. The scope and extent of testing is limited to those parts of the app that interact with Zoom for the integration offering. Testing may include, but is not limited to:

• Verification of requested OAuth scope to confirm least-privilege design
• Web application security scanning
• Manual testing of functionality for misuse and security vulnerabilities
• Checking for vulnerable libraries

Zoom does not conduct any load or DoS/DDoS testing.

Notes:

• Security reviews are an exhaustive security and penetration test of an application. While the security review is designed to provide a reasonably accurate assessment of the current security level of the tested app, Zoom is not liable or responsible if the security review fails to discover security or configuration issues of the application.
• The results of the security review are confidential between Zoom and the respective app developer. App publishers are required to provide their own terms of service, privacy policy, and support information for published applications. It is recommended that organizations and users conduct their own due diligence according to their 3rd-party vendor evaluation program prior to authorizing the applications.

Post-launch app reviews

Applications are listed on the App Marketplace only after a successful functional and security reviews of the app. All concerns raised to the developers as a result of these reviews must be addressed for the application to be listed on the App Marketplace. All published apps are also in scope for continuous monitoring.

Our current continuous monitoring reviews are as follows:

• Scope/Permission Updates
  Once published, all updates to the app are subject to a functional review. If the updates include addition of scopes or if newly added scopes are identified to introduce additional risk, the app will qualify for a complete security review as well. For example, an application, which may have been read-only scopes at the time of the initial review but now is requesting access to meeting and recording write scopes would undergo functional and security reviews.
• Security Incident
  In the event of identified or reported malicious activity, applications will undergo a new security review and may be suspended and/or disabled as needed. Learn more about suspending and disabling apps.
• API Health
  Zoom also monitors applications for abnormal API activity. For example, applications with 100% API call failure rate are escalated to the respective Zoom teams for further investigation to help the app resume normal operation. The application may qualify for a security review corresponding to the outcome of the investigation. The investigation may also result in the application being suspended, disabled, or removed altogether from the App Marketplace.