Architecture overview
MapSpoto uses Expo / React Native on the frontend and Supabase for authentication, database, storage, and realtime features on the backend.
The stack itself is not a security guarantee, but it gives us mature building blocks for authentication, permissions, and database controls that we can use to enforce stricter access rules.
Database access control
MapSpoto uses PostgreSQL Row Level Security (RLS) to restrict data access.
This means regular clients can only read data they are permitted to see. They cannot access other users' non-public data through normal app interfaces.
We do not publish large SQL policies directly on the website, but we do keep reviewing and tightening database access rules.
Account and password security
The account system is built on Supabase Auth.
Developers cannot see your plaintext password. Password storage and verification are handled by the authentication system.
Frontend key handling
The app frontend uses only a restricted anonymous access key (Anon Key) to connect to the backend.
High-privilege service keys are not embedded in frontend code or bundled into the app.
Security checks
We use third-party tools and platform features to check for common security issues, for example:
- Supabase Security Advisor to review database, RLS, and storage access settings.
- Dependency security scanning to detect known issues in third-party packages.
- Code scanning tools to look for common security mistakes and misconfigurations.
- Secret scanning to confirm that high-privilege keys or sensitive environment variables were not committed by mistake.
Latest dependency security check
We completed a frontend dependency security review and updated or tightened the packages involved in the high-risk and medium-risk findings from this round.
The current result is: High 0 / Moderate 0 / Critical 0 / Low 1.
The remaining low-severity finding is in a test dependency chain and is not part of the production runtime path.
After the dependency updates, we also completed local startup and core feature verification, including sign-in, maps, event pages, chat, and profile pages. No obvious runtime issue was found in this verification round.
Check tool: Yarn Audit. The raw report is available for download.
Latest secret scanning result
We also ran gitleaks to scan the currently version-controlled source files for accidentally committed secrets.
The current result is: 0 findings.
This scan covered only the current Git-tracked source files. It did not include Git history or locally generated build files.
Check tool: gitleaks. The raw report is available for download.
Latest code security scan
We also used Semgrep to run a static security scan on the currently version-controlled frontend source files.
The current result is: 0 findings.
This scan was rerun after a type-only syntax cleanup. The current result contains no security findings and no parsing warnings.
Check tool: Semgrep. The raw report is available for download.
Recent improvement areas
- Tightening public profile fields to reduce unnecessary exposure of personal information.
- Removing overly broad public storage access so that entire buckets cannot be listed publicly.
- Simplifying profile completeness rules so that contact details and similar sensitive fields are not treated as required profile signals.
Scope and limits
We will keep improving security settings and product logic, but we do not claim the app is “absolutely secure.”
Security is an ongoing process. If we find new problems, we will continue to fix and tighten them.
Back to Privacy Policy