How do I check my Supabase RLS policies for security holes?

AuditYourApp performs an automated deep-scan of your Postgres schema. It simulates attacker behavior to identify tables with missing Row Level Security (RLS) policies, permissive "true" policies, and unauthenticated public access risks.

Is AuditYourApp safe to run on a production database?

Yes. The scanner operates in a read-only context for 95% of checks. For write-access verification, it uses transaction rollbacks to ensure no dummy data is left behind.

Does it provide code to fix the security issues?

Yes. Unlike standard scanners that only report errors, AuditYourApp generates the exact SQL snippets and Policy definitions needed to patch vulnerabilities and secure your Supabase project.

What is the difference between the Single Snapshot and Continuous Guard?

The Single Snapshot ($49) is a one-time audit perfect for pre-launch verification. Continuous Guard ($29/mo) runs weekly scans to detect security regressions, ensuring new code pushes do not accidentally expose private data.

Does it offer manual expert review??

Yes, AuditYourApp offers an Expert Architecture Review ($499) which includes manual logic analysis by a human security engineer.

A Practical Guide to Mobile App Penetration Testing

Think of mobile app penetration testing as a controlled, ethical attack on your own application. It's about finding the security holes before someone with malicious intent does. We're talking about a mix of smart automated scanning and hands-on, manual hacking to uncover weaknesses in your app's code, its backend, and how it communicates with APIs.

Why Mobile App Security Is More Critical Than Ever

A smartphone with a security shield protecting it from bugs originating from Supabase and Firebase cloud services.

The days when you could treat mobile security as a "we'll get to it later" task are over. If you're building with modern stacks like Supabase or Firebase, you know the pressure to ship features fast. But that speed can come at a cost—these powerful platforms, when misconfigured, can create a fast lane to a major data breach.

Ignoring the unique threats that mobile apps face is a gamble you can't afford to take. Unlike a web app, your mobile app lives directly on thousands of user devices. This creates a much wider attack surface, from insecure local data storage to easily exploited app permissions. A single weak app can compromise a user's entire device, with devastating results for them and your business.

The Escalating Threat Landscape

The numbers don't lie. The mobile threat environment is getting more dangerous by the day. We've seen a massive spike in security incidents, with 62% of organisations suffering at least one breach in the last year alone. One recent analysis of nearly 39,000 apps found an average of 8.9 vulnerabilities per app, many of them critical.

Banking trojans are on the rise, growing by 29% year-on-year, and the average cost of a data breach in Europe has climbed to a staggering £3.4 million. These aren't just abstract figures; you can read more about these trends in Vervali's 2026 security report.

This translates into very real business risks:

Data Breaches: Misconfigured backend rules can easily lead to sensitive user data being exposed.
Reputational Damage: A public security failure can instantly destroy the trust you've worked so hard to build.
Financial Loss: The fines for failing to comply with data protection laws are severe.
Intellectual Property Theft: A determined attacker can reverse-engineer your app to steal your code and business logic.

To put this into context, here’s a look at some common vulnerabilities we see in modern mobile apps and the real-world consequences they can have.

Common Mobile Vulnerabilities and Their Business Impact

| Vulnerability Type | Common Cause (Supabase/Firebase) | Potential Business Impact | Detection Method | | :--- | :--- | :--- | :--- | | Insecure Row Level Security (RLS) | Default or overly permissive RLS policies allowing users to read/write data they shouldn't access. | Widespread data leakage, unauthorised data modification, full database compromise. | Automated RLS logic testing, manual policy review. | | Exposed Backend Secrets | Hardcoded API keys, secrets, or Firebase database URLs left in the client-side APK/IPA file. | Full backend access for an attacker, leading to complete data exfiltration or destruction. | Static binary analysis, secrets scanning. | | Publicly Callable Functions (RPCs) | Supabase database functions (RPCs) that lack proper authentication or authorisation checks. | Unauthorised actions, data manipulation, denial-of-service attacks. | Dynamic testing, fuzzing endpoints. | | Insecure Data Storage | Sensitive information (tokens, user data) stored unencrypted in local files or databases on the device. | Data theft from a lost or compromised device, account takeovers. | Static and dynamic analysis of file storage. |

As you can see, a simple misconfiguration can quickly spiral into a catastrophic business event. This is why a proactive security posture is no longer optional.

Shifting from Reactive to Proactive Security

The old approach of running a single penetration test just before launch simply doesn't work anymore. Modern development moves too fast. Instead, security needs to be a continuous, integrated part of your workflow. This is where automated red teaming platforms really shine, especially for teams relying on Backend-as-a-Service (BaaS) providers.

Think of an automated security tool as a persistent, vigilant member of your team. It continuously scans for those common-but-critical misconfigurations—like exposed Row Level Security (RLS) policies or public RPCs—that a human might miss during a rushed sprint.

This proactive approach means developers can find and fix vulnerabilities as they code. You get instant, actionable feedback right inside your development environment, rather than a dreaded report from an external auditor weeks later.

By embedding mobile app penetration testing into your process from day one with tools like AuditYour.App, you build a more secure, resilient application from the ground up. It cultivates a strong security culture and lets you ship new features with confidence, not anxiety.

Preparing for Your First Mobile Penetration Test

Jumping straight into a mobile app penetration test without a plan is a recipe for wasted time and missed vulnerabilities. The real work doesn't start with running a scanner; it begins with meticulous preparation and understanding exactly what you’re trying to defend. Think of it as drawing a map before you explore new territory.

First things first, you need to define your scope. What are you actually testing? It’s rarely just one thing. You have to map out every piece of your application’s ecosystem.

The iOS Application: Your compiled .ipa file that users get from the App Store.
The Android Application: The .apk or .aab file you're distributing through Google Play.
Backend APIs: All the endpoints your app talks to. This is especially critical for modern BaaS platforms like Supabase or Firebase, where misconfigurations can be catastrophic.
Third-Party Services: Any external APIs or SDKs woven into your app's code.

Getting this scope right is non-negotiable. If it's too narrow, you'll leave gaping holes. If it's too broad, you'll burn through your budget testing things that don't matter.

Adopting an Attacker's Mindset with Threat Modelling

Once you know the what, you need to figure out the how. How would a real attacker try to break your app? This is where threat modelling becomes your most powerful tool. It’s about stepping into an attacker's shoes to analyse your app's unique business logic and data flows, not just ticking off a generic vulnerability checklist.

For an app built on a BaaS platform, for example, this means homing in on the most common attack vectors I see in the wild. You’d trace key user journeys and start asking tough questions. Can a regular user somehow trigger an admin-only function? In a multi-tenant app, what’s stopping one user from peeking at another's data?

This process naturally surfaces the high-risk areas. For startups, the low-hanging fruit for attackers is often misconfigured Row Level Security (RLS) and publicly exposed Remote Procedure Calls (RPCs). With the penetration testing market set to grow steadily through 2031, driven by regulations like GDPR, this isn't just a theoretical exercise. Mobile apps have recently accounted for 22% of data breaches in SMEs. Since GDPR enforcement began, fines have climbed over £200 million, pushing 65% of UK firms to test regularly. You can dig into these trends in a detailed industry report from 6Wresearch.

Threat modelling forces you to answer a critical question: what does a security failure actually look like for your app? Is it one user reading another’s private messages? Or is it an unauthenticated user calling a sensitive database function? Defining these failure scenarios gives your test a laser focus.

Assembling Your Toolkit and Environment

With your scope mapped and threats identified, it’s time to get your hands dirty and set up your testing environment. You'll need the application builds for both iOS and Android, any source code you can get, and of course, test credentials for different user roles—think standard user, premium user, and admin.

Thankfully, you don't always need a complex lab setup anymore. Platforms like AuditYour.App have made getting started much easier; you can often just point it at an app store link or upload the application file to kick off a scan.

As you can see, modern tools cut down the setup time dramatically. This means your team can go from an app store listing to uncovering hardcoded secrets or backend misconfigurations in minutes.

Finally, set clear objectives. Are you just trying to get a compliance certificate? Are you prepping for a major launch? Or are you hunting down a specific, reported issue? Your goals will shape the entire engagement. This groundwork ensures every part of the test is tied to a concrete business objective, which makes the final report and its findings infinitely more valuable. For a more granular view, have a look at our mobile app security checklist.

Alright, you’ve done the prep work. Now for the fun part: getting your hands dirty and actually hunting for vulnerabilities in the mobile app. This is where we move from planning to active analysis, using two core methodologies: Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST).

Think of it this way: static analysis is like going through an app's source code or its compiled package with a fine-tooth comb when it’s not running. Dynamic analysis, on the other hand, is about poking and prodding the live, running application to see how it behaves under pressure. You need both for a proper test.

This whole process of preparing for a successful pen test—scoping it out, modelling threats, and gathering your tools—is the foundation for everything that follows.

A three-step diagram outlining the penetration test preparation process: scope test, model threats, and gather tools.

Without this groundwork, you're just testing in the dark.

Kicking Things Off with Static Analysis (SAST)

Static analysis is always my first port of call. It focuses on finding flaws baked directly into the app's package—the .apk file for Android or .ipa for iOS. The goal here is simple: decompile the app and sift through its guts for hardcoded secrets, insecure code, and configuration mistakes.

A surprising number of developers think that once their code is compiled, any secrets inside are safe. This is a critical, and common, mistake. It’s trivial to reverse-engineer these packages. In this stage, you’re hunting for:

Hardcoded API Keys: Think keys for services like Stripe, AWS, or other third-party integrations just sitting in plaintext.
Backend Configuration Files: Files like google-services.json which can expose sensitive project IDs and backend details.
Supabase Secrets: Finding an exposed anon key is normal, but stumbling upon a service_role key is a game-over scenario. It gives an attacker complete administrative control over your entire backend.

The mobile app security market is projected to skyrocket to $23.17 billion by 2030, growing at a blistering 22.3% CAGR. This growth brings massive risk, especially with no-code tools where insecure cryptography—a 7% OWASP risk—is often found in frontend bundles. This just highlights why you absolutely must scan for hardcoded secrets. It's a core feature in tools like AuditYour.App that can massively reduce risk, even for non-technical founders. You can read more in the full report from DataInsightsMarket.

I’ve lost count of how many times I've found a Supabase service_role key left in an Android app's strings.xml file. An attacker can pull this key in minutes, connect directly to the database admin API, and simply walk out with all the user data. A single mistake like this makes all your Row Level Security policies completely worthless.

If you want to get your hands dirty with this, our guide on APK reverse engineering gives you a step-by-step breakdown of the specific tools and techniques you'll need.

Intercepting Live Traffic with Dynamic Analysis (DAST)

While static analysis looks at the app at rest, dynamic analysis tests it in motion. This means running the app on a real device or emulator and intercepting the network traffic between the app and its backend. It’s the only way to see how the API actually works and, more importantly, how you can abuse it.

Using a proxy tool like Burp Suite or OWASP ZAP, you can capture, inspect, and even tamper with API requests and responses on the fly. This is where you uncover a completely different class of vulnerabilities that are invisible from just looking at the code.

During dynamic testing, your main targets should include:

Insecure Direct Object References (IDORs): This is a classic. Can you change an ID in an API call (e.g., /api/users/123/profile) to someone else’s ID (/api/users/456/profile) and see their data?
Broken Authentication: What happens if you just delete the Authorization header from a request? Does the API still let you in? Can you call an admin-only endpoint using a regular user's token?
Business Logic Flaws: These are unique to the app’s purpose. In an e-commerce app, for instance, can you apply a discount code more than once? Or maybe change an item's price directly in the checkout API call?

Static vs Dynamic Testing Approaches

To make it clearer, here’s a quick comparison of the two methodologies. Understanding when to use each is key to an effective pen test.

At the end of the day, a proper mobile app pen test isn't about choosing one method over the other. You absolutely have to combine them. Static analysis finds the secrets you accidentally left in the code, and dynamic analysis tests what an attacker can do with the doors you left unlocked on your server.

Testing Your Backend and Proving Data Leaks

A security diagram illustrating data access, showing locked items being unlocked for a user and public endpoint.

Once you've picked apart the app on the device, your focus has to shift. The real treasure trove of vulnerabilities often lies where the app talks to its backend, especially with modern stacks like Supabase and Firebase. This is where you connect the dots.

An app might look like a fortress on the surface, but a misconfigured backend can make all your client-side security work completely pointless. Honestly, it’s like spending a fortune on a bank vault door but leaving the back wall made of plasterboard.

Uncovering Backend Misconfigurations

So, where do you start looking? Your first port of call should always be how the backend manages data access. With Backend-as-a-Service (BaaS) platforms, two of the most common and dangerous slip-ups I see are overly permissive Row Level Security (RLS) policies and publicly exposed Remote Procedure Calls (RPCs).

RLS policies are just database rules that decide which rows of data a specific user can touch. When those rules are written too broadly or have a simple logical flaw, they can open up gaping security holes.

I can't tell you how many times I've found an RLS policy that just checks auth.uid() = user_id. On the face of it, that looks okay. But what happens if an attacker can control that user_id when creating or updating a record? Suddenly, they can write data pretending to be someone else.

It's the same story with RPCs, which are basically database functions you can call directly from the app. They're incredibly useful, but they're also a huge risk. If a function that handles something sensitive—say, deleting a user account—doesn't have rock-solid authorisation checks, anyone who can guess its name can call it. That’s a fast track to total chaos.

From Theory to Tangible Proof

Finding a potential weakness is one thing, but proving it’s a real threat is another. To get buy-in from your team and leadership, you need to build a Proof-of-Concept (PoC). A good PoC takes a theoretical "what if" and turns it into a tangible "look at this," showing exactly how a flaw leads to a data breach.

I find a scenario-based approach works best. Imagine a multi-tenant app where different companies have their data stored in the same database. Your mission is to prove that a regular user from Company A can get their hands on sensitive data from Company B.

This means you’ll need to craft specific API requests or database queries that exploit the flawed logic you've spotted. For example, you might try to manipulate a request to ask for data using another company's ID, just to see if the weak RLS policy lets it slide.

This is where automated tools can be a lifesaver. Platforms like AuditYour.App are built to automatically fuzz this kind of logic. They can throw thousands of different tests at your RLS policies and RPCs to find those tricky edge cases that lead to data leaks. For a deeper look at locking down these endpoints, our guide on API security best practices is a great resource.

Creating a Data Exfiltration PoC

Let's walk through building a PoC for a leaky RLS policy. The goal here is simple: prove one user can read another's private data.

First, you need to find a target. Look for an API endpoint that is supposed to fetch data for the currently logged-in user, something like /api/v1/projects?user_id=eq.self.

Next, get a valid session token for a normal user, let's call them User A from Company A. This gives you your starting point.

Now for the fun part. Using User A's token, you’ll need to tweak the API request to try and grab data belonging to User B in Company B. Often, this is as simple as changing a query parameter or a value in the request body.

Finally, you execute the request and check the response. If the API hands over data that belongs to User B, you’ve done it. You have undeniable proof of a broken access control policy.

This kind of test provides hard evidence of a critical vulnerability. You're not just handing over a report with a vague warning; you're showing them that User A can see User B's private information. When you present that to the development team, the risk is no longer theoretical. It’s a real-world security incident just waiting to happen, and it gets the priority it deserves.

From Findings to Fixes: Closing Security Gaps and Automating Defence

Getting a pentest report full of red flags is one thing; actually fixing them is where the real work begins. A finding is just a data point. An actionable remediation plan is what turns that worrying report into a genuinely more secure application.

It's not enough to be told you have a leaky Row Level Security (RLS) policy. You need to know exactly what line of SQL to change and why. The focus has to be on practical, immediate fixes that turn abstract risks into resolved tickets.

Getting Remediation Right in the Real World

I see this all the time with Supabase RLS policies. A developer, with the best intentions, writes a policy that looks secure on the surface but has a subtle, dangerous flaw hiding in plain sight.

Before (The Vulnerable Policy):

Let's say you have a policy to ensure users can only see their own projects. It probably looks something like this, checking if the logged-in user's ID matches the user_id on the project.

-- Leaky RLS policy for 'projects' table CREATE POLICY "Users can view their own projects." ON public.projects FOR SELECT USING ( auth.uid() = user_id );

So, what’s the problem? This policy only covers SELECT (read) operations. It says nothing about who can INSERT or UPDATE data. An attacker could easily create a new project and assign it to someone else’s user_id, or simply change the owner of an existing project.

After (The Secure Fix):

The right way to fix this is to be explicit. You need separate, watertight policies for each action. Notice the WITH CHECK clause here—it’s crucial because it validates the data before it's even written to the database.

-- Secure RLS policy for SELECT CREATE POLICY "Users can view their own projects." ON public.projects FOR SELECT USING ( auth.uid() = user_id );

-- Secure RLS policy for INSERT CREATE POLICY "Users can create projects for themselves." ON public.projects FOR INSERT WITH CHECK ( auth.uid() = user_id );

This simple "before and after" highlights how a small tweak in your SQL can slam the door on a major vulnerability. The same logic applies when securing database functions (RPCs); you must add authorisation checks right at the start of the function, before any other code runs.

It's critical to realise that security isn't a one-and-done job. A perfectly secure RLS policy today can be undermined tomorrow by a new, less-secure function that interacts with the same table. This is exactly why you can't rely on manual checks alone.

Shifting Left: Making Security Part of Your CI/CD Pipeline

For any team moving quickly, the only sustainable way to manage security is to "shift left"—baking it directly into your development workflow. This is where automation becomes your most valuable player. By wiring security scans into your CI/CD pipeline, you stop reacting to fires and start preventing them.

Instead of a yearly pentest being your only safety net, your pipeline can act as a constant guardian, automatically checking for issues with every single commit.

Hardcoded Secrets: Catch API keys and other credentials before they ever make it into your main branch.
Backend Misconfigurations: Instantly flag overly permissive RLS policies or public RPCs that lack proper checks.
Vulnerable Dependencies: Get alerts about outdated libraries with known security exploits.

This approach gives you a set of "continuous guards" that ensure security isn't just a final hurdle, but a constant checkpoint. Tools like AuditYour.App are built for this. They let you automate the kind of deep, time-intensive scans that are impossible to do manually on every build, acting as a vigilant gatekeeper in your workflow.

When security scanning is just another routine step in your build process, you do more than just catch bugs. You build a culture of security that helps your team catch regressions early, maintain a strong defensive posture, and ship features with genuine confidence.

Your Mobile App Pen Testing Questions, Answered

Even with a solid playbook in hand, you’re bound to have questions. I get these all the time from developers, founders, and CTOs, so I've put together some straight answers to the most common ones.

How Often Should I Run a Mobile App Pen Test?

The textbook answer you’ll often hear is "once a year". And sure, an annual test is a decent baseline—it’s certainly better than nothing. But for many modern apps, it's nowhere near enough.

If your app handles anything sensitive, like financial details or personal health records, you need to test more frequently. The same goes for apps that are constantly evolving. A good rule of thumb is to run a focused test after any major feature release or significant architectural change. For instance, if you've just switched payment providers or refactored your entire authentication flow, that’s your cue to get it tested.

For teams shipping code daily, the best approach is to stop thinking of security as a one-off event. By integrating continuous, automated scanning into your CI/CD pipeline, you make security a routine part of development, catching issues the moment they're introduced.

This way, you keep your security posture strong without slowing down your release cycle.

What's the Real Difference Between Automated Scanning and a Manual Pen Test?

This is a big one, and it’s not an either/or situation. Think of it as two different tools for two different jobs.

Automated scanning tools, like AuditYour.App, are incredibly fast and efficient at finding the common, known vulnerabilities. They’re brilliant for flagging things like:

Hardcoded secrets (think API keys and passwords) accidentally left in your APK or IPA file.
Insecure default security rules in your Supabase or Firebase backend that leave data exposed.
Out-of-date libraries with well-known security holes.
Database functions that are publicly exposed without any real authentication.

Automation gives you speed and broad coverage, which is exactly what you need for continuous checks inside your development workflow.

A manual penetration test, however, is where human creativity comes in. A person—a security expert—isn't just looking for known signatures. They’re actively trying to break your app's business logic, chain together several seemingly minor flaws, and find those complex vulnerabilities that scanners simply can't see. A manual tester thinks like an attacker.

Ultimately, a strong security strategy uses both. Automation handles the constant, wide-net scanning, while periodic manual tests provide the deep, focused analysis to find what the machines miss.

Can I Just Pen Test My Own App?

Yes, absolutely. In fact, you should be doing basic security checks on your own app. This entire guide is designed to give you a playbook to get started. Running your own tests helps you spot the low-hanging fruit early and builds a much-needed security-first mindset within your team.

But—and this is a big but—self-assessment is not a substitute for a formal, third-party test. An external tester brings two things you can't replicate: a completely unbiased perspective and years of specialised experience. It's incredibly easy to develop blind spots when you're deeply familiar with your own code.

An external expert doesn’t share your assumptions. They will question everything and approach your app with an adversarial mindset from day one. Plus, if you need to prove your security for compliance reasons (like GDPR or HIPAA) or to win over enterprise clients, a report from an independent, reputable third party is usually a deal-breaker.

Ready to see what an automated red team can uncover in your mobile app? With AuditYour.App, you can scan your application from an app store link or binary file and get actionable results in minutes. It's time to find and fix the critical backend misconfigurations and hardcoded secrets that basic checks miss. Start your scan now.