How do I check my Supabase RLS policies for security holes?

AuditYourApp performs an automated deep-scan of your Postgres schema. It simulates attacker behavior to identify tables with missing Row Level Security (RLS) policies, permissive "true" policies, and unauthenticated public access risks.

Is AuditYourApp safe to run on a production database?

Yes. The scanner operates in a read-only context for 95% of checks. For write-access verification, it uses transaction rollbacks to ensure no dummy data is left behind.

Does it provide code to fix the security issues?

Yes. Unlike standard scanners that only report errors, AuditYourApp generates the exact SQL snippets and Policy definitions needed to patch vulnerabilities and secure your Supabase project.

What is the difference between the Single Snapshot and Continuous Guard?

The Single Snapshot ($49) is a one-time audit perfect for pre-launch verification. Continuous Guard ($29/mo) runs weekly scans to detect security regressions, ensuring new code pushes do not accidentally expose private data.

Does it offer manual expert review??

Yes, AuditYourApp offers an Expert Architecture Review ($499) which includes manual logic analysis by a human security engineer.

Exposed Supabase URL in Mobile App

What Is This Vulnerability

Exposed Supabase URL in Mobile App occurs when the Supabase project URL (e.g., https://abcdefghij.supabase.co) is found embedded in a mobile application binary. While the project URL is semi-public by nature (it appears in API calls), its presence in a mobile binary confirms the backend technology and gives attackers the exact endpoint to target.

The URL is typically found alongside the anon key in configuration objects, making it straightforward for attackers to construct authenticated API calls using the Supabase client library.

Why It's Dangerous

The Supabase URL by itself is not a secret, but it is a critical piece of reconnaissance:

Direct API access — combined with the anon key (usually found alongside the URL), attackers can query the PostgREST API directly, bypassing the mobile app entirely.
Schema enumeration — attackers can probe the REST API to discover table names, column names, and relationships.
RLS testing — with the URL and anon key, attackers can systematically test every table for missing RLS policies.
Auth endpoint abuse — the URL exposes the GoTrue auth endpoints, enabling user enumeration, signup floods, and password brute-forcing.
Realtime channel snooping — if Realtime is enabled without proper authorization, attackers can subscribe to channels and observe live data.

The medium severity reflects that this is an information disclosure that facilitates further attacks rather than a direct data breach.

How to Detect

Extract the Supabase URL from mobile binaries:

# Android APK
jadx -d output/ app.apk
grep -r "supabase\.co" output/
grep -r "supabase\.in" output/

# iOS IPA
unzip app.ipa -d payload/
strings payload/Payload/App.app/App | grep "supabase"

Look for the typical configuration pattern:

// Common pattern found in decompiled mobile apps
const SUPABASE_URL = "https://abcdefghij.supabase.co";
const SUPABASE_ANON_KEY = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...";

AuditYour.app's mobile scanner automatically extracts Supabase URLs from both APK and IPA files, then runs the full vulnerability scan against the discovered project.

How to Fix

The Supabase URL cannot be fully hidden in a mobile app since the app needs to communicate with the backend. Instead, mitigate the risks:

-- Ensure every table has RLS enabled
DO $$
DECLARE
  tbl RECORD;
BEGIN
  FOR tbl IN
    SELECT tablename FROM pg_tables
    WHERE schemaname = 'public' AND rowsecurity = false
  LOOP
    EXECUTE format('ALTER TABLE public.%I ENABLE ROW LEVEL SECURITY;', tbl.tablename);
    RAISE NOTICE 'Enabled RLS on %', tbl.tablename;
  END LOOP;
END $$;

-- Restrict auth signup if not needed
-- In supabase dashboard: Authentication > Settings > Disable signup

Additional mitigations:

Proxy all API calls through your own backend to hide the Supabase URL from the client entirely.
Use Supabase's API rate limiting and abuse detection features.
Disable unused API endpoints (e.g., if you do not use Realtime, disable it).
Implement certificate pinning to prevent traffic interception and URL discovery via proxy tools.
Regularly scan your own apps with AuditYour.app to catch misconfigurations before attackers do.

Exposed Supabase URL in Mobile App

What Is This Vulnerability

Why It's Dangerous

How to Detect

How to Fix

Scan your app for this vulnerability

Related

Hardcoded API Keys in APK

Hardcoded API Keys in IPA

Service Role Key in Mobile Binary