Built on Trust: Making Apps More Secure for Merchants

We’re putting better safeguards in place for all future public apps, and introducing a new type of custom app. Existing apps are unaffected by this release.

Today, most Shopify merchants use a variety of apps to meet the specific needs of their business. To help meet those needs, Shopify enables developers to build in a variety of different ways.

Many apps are commissioned directly by merchants, where there’s a trusted relationship between the merchant and app developer. But many are intended for a general audience—what we call public apps.

When merchants find public apps on the Shopify App Store, they can trust that the app has been through a Shopify review. But before today, when public apps were discovered outside the app store, they weren’t reviewed by Shopify and carried a warning.

Starting today, we’re putting better safeguards in place for the merchants who install these apps. We’re now reviewing all new public apps to the same Shopify standard, wherever they’re discovered.

Merchants will now experience the same install process wherever they discover a public app: they’ll see a consistent listing page and the same payment flow.

In addition, we’re introducing custom apps, a more secure solution for building apps for a single merchant.

In this article, we'll walk you through all of these changes and highlight what they mean for the new apps you’ll build.

What’s changing for public apps

All public apps created after December 9, 2019 will be reviewed by Shopify, and will be installed via a Shopify App Store listing.

This means that, from now on, apps built for a general audience will offer merchants the same trusted, consistent Shopify installation experience. Merchants will be able to clearly see pricing for every app, write their own reviews, and have the same safe payment experience, brokered by Shopify.

"All public apps created after December 9, 2019 will be reviewed by Shopify, and will be installed via a Shopify App Store listing."

As an app developer, you can toggle your app to ‘unlisted’ if you prefer, which means your listing won’t be discoverable in the app store or surfaced in app recommendations across Shopify.

You’ll see these changes, along with general improvements to the developer experience of creating a new app, in theShopify Partner Dashboard.

Process improvements and more features to come

As part of the changes to public apps outlined above, we’re streamlining our app review process, growing our review team, and introducing new tools to help with the process. We’ll add more ways for developers to check for issues before they submit an app, and ensure they’re receiving feedback earlier on.

We’re also actively working on new billing features in order to offer more ways for developers to manage payments for their apps.

Introducing custom apps

So far, we’ve walked you through changes to public apps built for a general audience. But our app platform also supports app development intended for a single merchant store.

Before today, this was facilitated only by private apps that consisted of an API key created by a merchant and shared with a developer. Private apps are missing some of the functionality of public apps, and are not very visible—accessible only from a link at the bottom of the apps section of the Shopify merchant admin.

When we started reviewing how unpublished apps were used, we noticed that many developers were building apps for a single store, to make use of features that private apps didn’t include, likeextensionsand被嵌入到Shopify管理.

To address this, we’ve created custom apps.

Custom apps have all the functionality of a public app and can be created by developers in theShopify Partner Dashboard, then shared with a single merchant. Once a custom app is installed, it will be visible to the merchant from the apps section of their Shopify Admin.

“自定义应用程序的所有功能public app and can be created by developers in the Shopify Partner Dashboard, then shared with a single merchant."

We’ve also included useful information for developers on the app details page, like the date the app was installed by the merchant.

Like private apps, custom apps aren’t required to go through a Shopify review, as they rely on a trusted relationship between an individual merchant and a developer.

Workflows for app development

Our research showed that some unpublished apps were being used specifically for testing purposes. We’ve used this research as the basis for some changes to how public and custom apps are created in theShopify Partner Dashboard.

Draft state

Starting today, when you create an app it will remain in a draft state that can be installed on a local development store as the app is developed. When ready, the app can be shared directly with a merchant if it’s a custom app, or submitted to Shopify for review if it’s a public app.

You might also like:An Insider's Look at the Technology That Powers Shopify.

一个快速回顾

We’ve removed a less safe and secure way to install apps on multiple merchant stores, and are now reviewing all public apps. Here’s a summary of what’s changed:

• New ‘unpublished’ public apps that were installed without a review have now been deprecated. All existing unpublished apps created before December 9 will still work as normal.

• All newly created public apps will be installed via a trusted Shopify App Store listing and reviewed by the Shopify App Store team.

• Custom apps can be created by developers building apps for individual merchant stores. Private apps remain unaffected and can still be created, but we recommend custom apps as a more robust, secure solution.

Public and custom apps are available to build in the partner dashboard starting today. After they’re installed, merchants will be able to see both custom and public apps on their Shopify apps page.

Looking to the future

These changes will make apps built on Shopify more secure, and the merchant experience more consistent and clear.

Simultaneously, we’re working to ensure that developing on our platform continues to be a place filled with creative ideas, ingenuity, and a desire to meet merchant needs around the world.

We're also continuing to roll out education about the new ways to create apps. In the meantime, learn more about the changes mentioned in this article by checking out ourdeveloper documentation.