As a matter of fact I tought the best way to do that is to extend the auth class with a Service replacement
The "same method" is named and used in 3.2.x as Service decoration
If changes to auth are necessary and must be used in core parts, then agree. But if the permissions are separate from forums, then I don't think this would be necessary. It would be sufficient to pass the service replacement or decoration to ones own modules only. I would rather avoid changing the auth class that is used everywhere in the board and only use the adjusted one where it is really needed. But since the board itself will never check the app_ permissions by itself, I doubt that is necessary, because you can pass your adapted auth class to all your own modules easily.
Actually, I don't really think any changes to auth are necessary at all for an additional permission type unless you need special handling (like: apply all app_ permissions if u_app is there or something like that).