How do I check my Supabase RLS policies for security holes?

AuditYourApp performs an automated deep-scan of your Postgres schema. It simulates attacker behavior to identify tables with missing Row Level Security (RLS) policies, permissive "true" policies, and unauthenticated public access risks.

Is AuditYourApp safe to run on a production database?

Yes. The scanner operates in a read-only context for 95% of checks. For write-access verification, it uses transaction rollbacks to ensure no dummy data is left behind.

Does it provide code to fix the security issues?

Yes. Unlike standard scanners that only report errors, AuditYourApp generates the exact SQL snippets and Policy definitions needed to patch vulnerabilities and secure your Supabase project.

What is the difference between the Single Snapshot and Continuous Guard?

The Single Snapshot ($49) is a one-time audit perfect for pre-launch verification. Continuous Guard ($29/mo) runs weekly scans to detect security regressions, ensuring new code pushes do not accidentally expose private data.

Does it offer manual expert review??

Yes, AuditYourApp offers an Expert Architecture Review ($499) which includes manual logic analysis by a human security engineer.

iOS IPA Security Analysis Guide

iOS IPA Analysis Overview

An IPA (iOS App Store Package) file is a ZIP archive containing the compiled iOS application binary, resources, frameworks, and metadata. While iOS apps are generally harder to reverse engineer than Android APKs due to Apple's encryption and code signing, it is far from impossible. Attackers regularly extract secrets from iOS apps, and any sensitive key or credential embedded in the binary should be considered compromised.

Obtaining IPA Files

From a Jailbroken Device

On a jailbroken device, decrypted IPA files can be extracted using tools like frida-ios-dump or CrackerXI:

# Using frida-ios-dump
python dump.py com.yourcompany.yourapp

From iTunes/Apple Configurator

Older versions of iTunes and Apple Configurator can download IPA files. Third-party tools also exist.

From macOS (Apple Silicon)

iOS apps running on Apple Silicon Macs can be inspected directly on the filesystem.

Analyzing the IPA Structure

# Unzip the IPA
unzip YourApp.ipa -d extracted

# Examine the structure
ls extracted/Payload/YourApp.app/

# Key files to inspect:
# - Info.plist          (app configuration, URL schemes, permissions)
# - GoogleService-Info.plist  (Firebase configuration)
# - embedded.mobileprovision  (provisioning profile)
# - Frameworks/         (embedded frameworks)
# - *.js / *.bundle     (React Native / web bundles)

Extracting Secrets

String Extraction from Binaries

# Extract strings from the main binary
strings extracted/Payload/YourApp.app/YourApp > strings_output.txt

# Search for common patterns
grep -E "supabase|firebase|sk_live|sk_test|api[_-]?key|secret" strings_output.txt
grep -E "eyJ[A-Za-z0-9_-]+" strings_output.txt  # JWT tokens
grep -E "https?://[a-z0-9.-]+\.supabase\.co" strings_output.txt

Plist Analysis

Property list files often contain configuration data:

# Convert binary plist to XML
plutil -convert xml1 extracted/Payload/YourApp.app/Info.plist

# Check GoogleService-Info.plist for Firebase config
plutil -convert xml1 extracted/Payload/YourApp.app/GoogleService-Info.plist
cat extracted/Payload/YourApp.app/GoogleService-Info.plist

The GoogleService-Info.plist contains the Firebase API key, project ID, storage bucket, and other configuration values that can be used to interact with your Firebase backend.

JavaScript Bundle Analysis (React Native / Expo)

React Native apps bundle JavaScript that is easily readable:

# Find JavaScript bundles
find extracted/ -name "*.jsbundle" -o -name "*.bundle" -o -name "main.js"

# Search for secrets in JavaScript
grep -rE "supabase|firebase|SUPABASE_URL|FIREBASE_|apiKey|service_role" extracted/Payload/YourApp.app/*.jsbundle

React Native apps are particularly vulnerable because the entire application logic (including API keys and configuration) is in readable JavaScript, often with source maps included.

Framework Analysis

Third-party frameworks embedded in the app may contain their own secrets:

# List embedded frameworks
ls extracted/Payload/YourApp.app/Frameworks/

# Extract strings from each framework
for fw in extracted/Payload/YourApp.app/Frameworks/*.framework; do
  echo "=== $(basename $fw) ==="
  strings "$fw/$(basename $fw .framework)" | grep -iE "key|secret|token|api"
done

Advanced Analysis with Class-dump and Hopper

Class-dump

Extract Objective-C class information:

class-dump extracted/Payload/YourApp.app/YourApp > classes.h

# Look for security-relevant classes
grep -E "API|Key|Secret|Token|Auth|Config|Supabase|Firebase" classes.h

Hopper / IDA Pro / Ghidra

For deeper binary analysis, use a disassembler:

Load the main binary into Hopper or Ghidra
Search for string references to API endpoints, key patterns
Trace the initialization of network clients to find embedded credentials
Look for certificate pinning implementation (and potential bypass points)

Dynamic Analysis with Frida

Frida enables runtime inspection of iOS apps:

// frida script: Hook NSURLSession to capture API requests
Interceptor.attach(
  ObjC.classes.NSURLSession['- dataTaskWithRequest:completionHandler:'].implementation,
  {
    onEnter: function(args) {
      var request = new ObjC.Object(args[2]);
      console.log('URL: ' + request.URL().absoluteString());
      var headers = request.allHTTPHeaderFields();
      console.log('Headers: ' + headers.toString());
    }
  }
);

This reveals:

API endpoints being called
Authentication headers (including API keys and JWTs)
Request/response payloads

iOS-Specific Security Features

App Transport Security (ATS)

Check if ATS exceptions weaken transport security:

<!-- Info.plist - look for these dangerous exceptions -->
<key>NSAppTransportSecurity</key>
<dict>
  <key>NSAllowsArbitraryLoads</key>
  <true/>  <!-- DANGEROUS: Disables all transport security -->
</dict>

Keychain Usage

Verify the app uses the Keychain for sensitive data rather than UserDefaults or plain files:

// GOOD: Using Keychain
let query: [String: Any] = [
    kSecClass as String: kSecClassGenericPassword,
    kSecAttrAccount as String: "api_token",
    kSecAttrAccessible as String: kSecAttrAccessibleWhenUnlockedThisDeviceOnly
]

// BAD: Using UserDefaults (readable from backup)
UserDefaults.standard.set(apiKey, forKey: "api_key")

Data Protection

Check that sensitive files use appropriate data protection classes:

try data.write(to: fileURL, options: .completeFileProtection)

Defense Recommendations

Never embed service-level keys in your iOS app binary
Use the Keychain for any secrets that must be stored on device
Implement certificate pinning to prevent MitM attacks
Strip debug symbols from release builds
Do not include source maps in React Native production builds
Enable App Transport Security without exceptions
Use App Attest to verify requests come from genuine app instances
Treat the Firebase/Supabase client config as public and rely on server-side rules

Automated IPA Scanning

AuditYour.app supports IPA file analysis, scanning for embedded Supabase and Firebase configurations, hardcoded API keys, insecure transport settings, and other security issues. Upload your IPA to get a comprehensive security report.