What Is This Vulnerability
Service Role Key in Mobile Binary is a critical vulnerability where the Supabase service_role key is embedded in a mobile application (APK or IPA). The service role key is a privileged JWT that bypasses all Row Level Security policies and grants full read/write access to every table in the database. It is intended exclusively for server-side use in trusted environments such as Edge Functions, backend APIs, or administrative scripts.
When this key is found in a mobile binary, it means any user who decompiles the app gains unrestricted access to the entire database.
Why It's Dangerous
This is one of the most critical vulnerabilities possible in a Supabase application:
- Complete RLS bypass — the service role key ignores every RLS policy, making all table data accessible regardless of ownership or permissions.
- Full database access — read, insert, update, and delete operations on every table, including
auth.users,storage.objects, and internal Supabase tables. - User impersonation — attackers can read auth tokens, modify user records, or create admin accounts.
- Data destruction — attackers can truncate tables or delete all records with no restrictions.
- Cascading compromise — access to the database may expose additional secrets (payment tokens, integration keys) stored in other tables.
This vulnerability effectively hands complete database admin access to anyone who downloads the app from the App Store or Play Store.
How to Detect
Search for the service role key pattern in decompiled mobile binaries:
# The service_role key is a JWT — look for the characteristic header
# Android
jadx -d output/ app.apk
grep -r "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9" output/
# Decode any found JWTs and check the role claim
echo "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImFiY2RlZmdoaWoiLCJyb2xlIjoic2VydmljZV9yb2xlIiwiaWF0IjoxNjk3MjM5MDIyLCJleHAiOjIwMTI4MTUwMjJ9.xxxxx" | cut -d. -f2 | base64 -d 2>/dev/null
# iOS
strings payload/Payload/App.app/App | grep "eyJhbGciOi"
If the decoded JWT payload contains "role": "service_role", this is a critical finding. AuditYour.app's mobile scanner decodes all discovered JWTs and flags any with the service_role claim.
How to Fix
Immediately rotate the service role key via the Supabase dashboard (Settings > API > Regenerate service_role key). Then remove it from the mobile codebase entirely:
// CRITICAL: Never do this in mobile code
val supabase = createSupabaseClient(
supabaseUrl = "https://project.supabase.co",
supabaseKey = "eyJ...service_role_key..." // NEVER
)
// CORRECT: Use the anon key in mobile apps
val supabase = createSupabaseClient(
supabaseUrl = "https://project.supabase.co",
supabaseKey = "eyJ...anon_key..." // Safe with proper RLS
)
If your app needs to perform privileged operations, proxy them through a secure backend:
// Mobile app calls your backend, not Supabase directly
val response = httpClient.post("https://api.myapp.com/admin/action") {
header("Authorization", "Bearer ${userAuthToken}")
setBody(ActionRequest(targetId = "123"))
}
The backend then uses the service role key in a trusted server environment. After rotating the key, audit your database for any unauthorized changes that may have occurred while the key was exposed.
Scan your app for this vulnerability
AuditYourApp automatically detects security misconfigurations in Supabase and Firebase projects. Get actionable remediation in minutes.
Run Free ScanRelated
vulnerabilities
Service Role Key Exposure
The Supabase service_role key is exposed in client-side code, granting full database access that bypasses all RLS policies.
vulnerabilities
Hardcoded API Keys in APK
API keys and secrets found in decompiled Android APK files through static analysis.
vulnerabilities
Mobile App Credential Extraction
Multiple credentials and secrets extractable from a mobile application through static and dynamic analysis.