Architecture overview
MapSpoto uses Expo / React Native on the frontend and Supabase for authentication, database, storage, and realtime features on the backend.
The stack itself is not a security guarantee, but it gives us mature building blocks for authentication, permissions, and database controls that we can use to enforce stricter access rules.
Database access control
MapSpoto uses PostgreSQL Row Level Security (RLS) to restrict data access.
This means regular clients can only read data they are permitted to see. They cannot access other users' non-public data through normal app interfaces.
We do not publish large SQL policies directly on the website, but we do keep reviewing and tightening database access rules.
Account and password security
The account system is built on Supabase Auth.
Developers cannot see your plaintext password. Password storage and verification are handled by the authentication system.
Frontend key handling
The app frontend uses only a restricted anonymous access key (Anon Key) to connect to the backend.
High-privilege service keys are not embedded in frontend code or bundled into the app.
Security checks
We use third-party tools and platform features to check for common security issues, for example:
- Supabase Security Advisor to review database, RLS, and storage access settings.
- Dependency security scanning to detect known issues in third-party packages.
- Code scanning tools to look for common security mistakes and misconfigurations.
- Secret scanning to confirm that high-privilege keys or sensitive environment variables were not committed by mistake.
Latest dependency security check (June 4, 2026, version 1.4.0)
We reran the frontend dependency security check and confirmed that the previously handled dependency findings did not reappear.
The current result is: Critical 0 / High 0 / Moderate 0 / Low 0.
The current Yarn Audit report shows no dependency vulnerabilities across 1369 dependencies.
We continue to review third-party package risk during dependency updates and before releases, and keep the raw audit report available for verification.
Check tool: Yarn Audit. The raw report is available for download.
Latest secret scanning result (June 4, 2026, version 1.4.0)
We also ran gitleaks to scan the currently version-controlled source files for accidentally committed secrets.
The current result is: 0 findings.
This rerun confirmed no secret findings in the current Git-tracked source files. It did not include Git history, local environment files, runtime configuration files, or locally generated build files.
Check tool: gitleaks. The raw report is available for download.
Latest code security scan (June 4, 2026, version 1.4.0)
We also used Semgrep to run a static security scan on the currently version-controlled frontend source files.
The current result is: 0 findings.
This rerun scanned 573 frontend-related targets. The current result contains no security findings, scan errors, or parsing warnings.
Check tool: Semgrep. The raw report is available for download.
Latest mobile security check (June 4, 2026, version 1.4.0)
We used MobSF to run static security analysis on the iOS and Android packages for MapSpoto.
The iOS result was: 64/100 (Low Risk), with no High-risk findings. App Transport Security is configured with NSAllowsArbitraryLoads=false.
During the iOS review, we confirmed that debug symbols were stripped from hermes.framework/hermes in the Release package, with 0 SO symbols remaining. MobSF still reports generic binary warnings such as SYMBOLS STRIPPED, ENCRYPTED, RPATH, and common C API usage. The local IPA finding ENCRYPTED=false is expected before App Store distribution and does not mean the App Store-distributed package is not protected by Apple encryption.
The Android result was: 55/100 (Medium Risk). MobSF reported one High-risk item: Remote WebView debugging is enabled.
We manually reviewed the Android WebView debugging finding. After decompiling the Release APK, the third-party react-native-webview library only calls WebView.setWebContentsDebuggingEnabled(true) by default when ReactBuildConfig.DEBUG is true. The scanned package is a Release build, and the Turnstile WebView used for login security checks explicitly sets webviewDebuggingEnabled={false}. Therefore, production WebView remote debugging is not enabled by default. We record this item as a static-rule / conditional finding rather than an actual production High-risk vulnerability.
The Android Medium-risk and warning items also include third-party SDK components and static-rule matches, such as exported components, external storage, temporary files, AsyncStorage/SQLite, logging, weak hashes, random number generation, and Sentry crash reporting. We disable non-essential exported components where possible, but expo.modules.clipboard.ClipboardFileProvider is a required read-only provider from Expo Clipboard and must remain android:exported=true; forcing it to false causes Android startup crashes. We record this as an accepted third-party SDK requirement and limit its exposure through restricted provider paths.
Check tool: MobSF. The raw reports are available for download.
Recent improvement areas
- Tightening public profile fields to reduce unnecessary exposure of personal information.
- Removing overly broad public storage access so that entire buckets cannot be listed publicly.
- Simplifying profile completeness rules so that contact details and similar sensitive fields are not treated as required profile signals.
Scope and limits
We will keep improving security settings and product logic, but we do not claim the app is “absolutely secure.”
Security is an ongoing process. If we find new problems, we will continue to fix and tighten them.
Back to Privacy Policy