How do I check my Supabase RLS policies for security holes?

AuditYourApp performs an automated deep-scan of your Postgres schema. It simulates attacker behavior to identify tables with missing Row Level Security (RLS) policies, permissive "true" policies, and unauthenticated public access risks.

Is AuditYourApp safe to run on a production database?

Yes. The scanner operates in a read-only context for 95% of checks. For write-access verification, it uses transaction rollbacks to ensure no dummy data is left behind.

Does it provide code to fix the security issues?

Yes. Unlike standard scanners that only report errors, AuditYourApp generates the exact SQL snippets and Policy definitions needed to patch vulnerabilities and secure your Supabase project.

What is the difference between the Single Snapshot and Continuous Guard?

The Single Snapshot ($49) is a one-time audit perfect for pre-launch verification. Continuous Guard ($29/mo) runs weekly scans to detect security regressions, ensuring new code pushes do not accidentally expose private data.

Does it offer manual expert review??

Yes, AuditYourApp offers an Expert Architecture Review ($499) which includes manual logic analysis by a human security engineer.

APK Reverse Engineering & Security Analysis

Why APK Reverse Engineering Matters

Every Android APK you publish is a package that anyone can download and decompile. Unlike server-side code, your mobile app binary is fully accessible to attackers. Embedded API keys, hardcoded secrets, Firebase configuration, Supabase URLs, and internal endpoints can all be extracted in minutes using freely available tools.

How Attackers Decompile APKs

Step 1: Obtain the APK

APKs can be downloaded from the Google Play Store using third-party tools, or extracted from a device:

# From a connected device
adb shell pm list packages | grep yourapp
adb shell pm path com.yourcompany.yourapp
adb pull /data/app/com.yourcompany.yourapp/base.apk

Step 2: Decompile with apktool

apktool d base.apk -o decompiled_app

This produces the full resource tree, AndroidManifest.xml, smali bytecode, and all assets.

Step 3: Extract Strings and Secrets

# Search for API keys and URLs
grep -r "supabase" decompiled_app/
grep -r "firebase" decompiled_app/
grep -r "api_key\|apiKey\|API_KEY" decompiled_app/
grep -rE "sk_live_|pk_live_|sk_test_" decompiled_app/  # Stripe keys
grep -rE "eyJ[A-Za-z0-9_-]+" decompiled_app/          # JWT tokens

Step 4: Decompile to Java with jadx

For a more readable view, use jadx to convert DEX bytecode back to Java:

jadx base.apk -d decompiled_java

This produces near-original Java source code that reveals application logic, API call patterns, and authentication flows.

What Attackers Look For

Supabase anon keys and project URLs -- Used to directly query your database
Firebase config objects -- API keys, project IDs, app IDs
Service role keys or admin keys -- Full database access, critical severity
Stripe secret keys -- Can create charges, read customer data
AI/LLM API keys -- OpenAI, Anthropic, etc., used to run up your bill
OAuth client secrets -- Impersonate your app in OAuth flows
Hardcoded JWTs -- May contain elevated privileges
Internal API endpoints -- Staging servers, admin panels

Defense Strategies

1. Never Embed Service-Level Keys

The most important rule: never ship service role keys, admin keys, or secret keys in your APK. These must only exist on your server.

// BAD: In your mobile app
const supabase = createClient(SUPABASE_URL, SERVICE_ROLE_KEY);

// GOOD: In your mobile app, use only the anon key
const supabase = createClient(SUPABASE_URL, ANON_KEY);
// All sensitive operations go through your backend/Edge Functions

2. Rely on Server-Side Security

Since your anon key will be extracted, design your security model assuming the attacker has it. This means:

Enable RLS on every table
Write restrictive policies
Use Edge Functions for privileged operations
Never trust the client

3. Obfuscation (Defense in Depth)

While obfuscation is not a security boundary, it slows down attackers:

// build.gradle
android {
    buildTypes {
        release {
            minifyEnabled true
            shrinkResources true
            proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'),
                'proguard-rules.pro'
        }
    }
}

R8/ProGuard renames classes and methods, making decompiled code harder to read. But it does not protect string literals.

4. Use Android Keystore for Runtime Secrets

For secrets that must exist on device (e.g., encryption keys), use the Android Keystore:

val keyStore = KeyStore.getInstance("AndroidKeyStore")
keyStore.load(null)
val keyGenerator = KeyGenerator.getInstance(
    KeyProperties.KEY_ALGORITHM_AES, "AndroidKeyStore"
)
keyGenerator.init(
    KeyGenSpec.Builder("my_key_alias")
        .setBlockModes(KeyProperties.BLOCK_MODE_GCM)
        .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
        .build()
)

5. Certificate Pinning

Prevent man-in-the-middle attacks by pinning your server's certificate:

<!-- res/xml/network_security_config.xml -->
<network-security-config>
  <domain-config>
    <domain includeSubdomains="true">your-project.supabase.co</domain>
    <pin-set expiration="2027-01-01">
      <pin digest="SHA-256">base64EncodedSHA256PinHere=</pin>
    </pin-set>
  </domain-config>
</network-security-config>

6. Integrity Checks

Detect if your app has been tampered with or is running in a debugging environment:

fun isDebuggable(context: Context): Boolean {
    return context.applicationInfo.flags and ApplicationInfo.FLAG_DEBUGGABLE != 0
}

fun isRunningOnEmulator(): Boolean {
    return Build.FINGERPRINT.contains("generic")
        || Build.MODEL.contains("Emulator")
}

Automated APK Analysis

AuditYour.app provides automated APK analysis that decompiles your app and scans for exposed Supabase and Firebase configurations, hardcoded secrets, and insecure API patterns. Upload your APK or provide a bundle ID to get a full security report with remediation guidance.