data privacyshopify appsstore security

Shopify App Permissions: What Access You're Giving Away

Shopify app permissions audit showing access scopes and data protection settings

Every time you install a Shopify app, you agree to a set of Shopify app permissions that control exactly what store data the app can read, write, and export. Some apps get access to your product catalog. Others can read every customer name, email, and phone number in your database. A few can modify your checkout, change your theme, or write data back to your orders.

Most merchants click "Install" and never look at what they agreed to. With the average Shopify store running 6.4 apps — and 12% running 10 or more — that's a lot of keys floating around. In 2024 and 2025 alone, third-party app vulnerabilities exposed merchant and customer data in at least three major incidents. The risk isn't theoretical.

What Do Shopify App Permissions Control?

Shopify app permissions — called access scopes — define exactly which parts of your store data an app can read or modify. Each scope follows a simple format: an action (read or write) plus a resource type. For example, read_orders lets an app view your order history. write_products lets it create or modify products in your catalog.

There are dozens of scopes. Here are the ones that matter most for your store's security:

  • read_customers / write_customers — Access to customer names, emails, phone numbers, addresses, and order history. This is the most sensitive scope. A review app might need it. A countdown timer doesn't.
  • read_orders / write_orders — Access to every order placed in your store, including customer details attached to those orders. Shipping apps need this. A font-changer doesn't.
  • read_products / write_products — Access to your product catalog, pricing, inventory levels, and descriptions. Most apps request this. Few need write access.
  • write_themes — Permission to modify your store's theme code. Page builders and some widget apps need this. Be cautious — a bad actor or buggy app with theme write access can break your storefront.
  • read_all_orders — Access to your entire order history, not just the last 60 days. Analytics and accounting apps often request this. It's a broader scope than read_orders.

The principle is simple: every app should request only what it needs to function. If a pop-up app asks for customer data and order history, that's a red flag.

Three Real Breaches That Started With App Access

These aren't hypotheticals. They happened to real Shopify merchants.

Consentik (January–May 2025): A cookie-consent banner app — one of the most basic app types — was running an unsecured server that streamed private data from over 4,000 connected stores to the open internet for roughly 100 days. The exposed data included site analytics, Shopify Personal Access Tokens, and Facebook Auth Tokens. A consent banner app had no business generating that kind of data trail, but merchants had granted the permissions without questioning why.

Saara plugins (March 2024): Security researchers found a publicly accessible database belonging to Saara, a company behind several Shopify plugins. The database held 25GB of data from more than 1,800 stores — left wide open in an unsecured MongoDB instance.

Third-party app leak (July 2024): A hacker shared data allegedly originating from Shopify, including customer names, emails, phone numbers, and order details. Shopify confirmed the data didn't come from their systems — it came from a third-party app with access to that data.

In every case, the app had been granted permission to access the data. The breach happened because the app handled that data poorly. Shopify can enforce rules on its own platform, but once your data leaves Shopify's servers and sits on an app developer's infrastructure, you're trusting their security practices.

How to Audit Your App Permissions in 5 Minutes

Shopify has made this easier than it used to be. Here's how to check what each app can access:

  1. Go to Settings → Apps and sales channels in your Shopify admin.
  2. Click on any installed app.
  3. Look for the "App details" section — it lists the permissions the app was granted at install.
  4. Check the "Store data access" section to see what customer and store data the app can read.
  5. Repeat for every app on the list.

Write down which apps have access to customer data, order data, and theme write access. These three categories carry the most risk. If you have 10+ apps, this audit will take about 5 minutes and will probably surprise you.

Shopify also added more transparency features in 2025, letting merchants see detailed information about how apps interact with their store. If an app's listed permissions don't match what it claims to do, that's worth investigating.

The "I Uninstalled It" Problem

Uninstalling an app revokes its access to your Shopify store going forward. But it doesn't delete the data the app already collected while it was installed.

If a reviews app had read_customers access for six months, it may have already copied your customer list to its own servers. Uninstalling the app cuts the live connection, but the data that was already transferred is now subject to that app developer's data retention and security policies — not Shopify's.

This is why prevention matters more than cleanup. Every app you install creates a data footprint you can't fully retract. Shopify requires apps to comply with data deletion requests under GDPR, but enforcement varies and not every app developer handles these requests promptly. For a broader look at how app failures affect your store beyond data, see our Shopify app dependency audit guide.

5 Rules for Smarter App Permission Hygiene

1. Read the permission screen before you click Install. It takes 15 seconds. If an app requests scopes that don't match its advertised function, skip it. A countdown timer asking for customer data is a warning sign.

2. Audit your installed apps quarterly. Set a calendar reminder. Check which apps still have access and whether you're still using them. The app you installed for a Black Friday campaign six months ago is still reading your order data.

3. Uninstall apps you're not actively using. Every idle app is an open door you're not watching. If you're not using it this month, remove it. You can always reinstall later.

4. Prefer apps from established developers. Check the developer's other apps, their review count, and how long they've been on the Shopify App Store. A developer with five apps and 2,000+ reviews has more at stake than one with a single app and 12 reviews. Shopify's "Built for Shopify" badge also signals that the app meets stricter security and performance benchmarks. Our Shopify store security checklist covers additional safeguards beyond app permissions.

5. Don't duplicate functionality. If two apps both have read_customers access and do similar things, keep one and drop the other. Fewer apps with data access means fewer potential failure points. With 17,600+ apps on the Shopify App Store, there's always a temptation to add one more — resist it unless the value is clear.

What Shopify Is Doing (And What It Can't Do)

Shopify has tightened the rules. As of December 2025, apps without approved scopes for protected customer data receive null values for personally identifiable fields — meaning Shopify now blocks unapproved access at the API level rather than relying on app developers to self-regulate.

Apps must also encrypt data at rest and in transit, implement access logging, and comply with mandatory data protection webhooks. These are real improvements.

But Shopify can only control what happens on its platform. Once an app transfers your data to its own servers — which is how most apps function — the security of that data depends entirely on the app developer's infrastructure. A well-built app from a responsible developer handles this correctly. A poorly-built one from a small team cutting corners might store your customer emails in an unencrypted database with a default password.

That's the gap. Shopify secures the handoff. You're responsible for deciding who gets the handoff in the first place.

Start With One Action Today

Open your Shopify admin, go to Settings → Apps and sales channels, and count how many apps have access to customer data. If the number is higher than you expected — and for most merchants running 6+ apps, it will be — pick the one you use least and uninstall it. That's one fewer door someone else holds a key to.

Shopify app permissions aren't a one-time decision. They're an ongoing responsibility. The 5 minutes you spend auditing today could save you from being the next merchant explaining to customers why their data showed up somewhere it shouldn't.