From the PTKD Journal
Field notes on mobile app security.
What we're learning from scanning real APKs and IPAs — the patterns that recur, the controls that hold up, and where the new wave of AI-coded apps is breaking older assumptions.
Latest · App Store
Does Apple App Review check for hardcoded AWS S3 keys?
Apple's review process is policy-focused, not a security scanner. Why hardcoded AWS keys slip through, and the IPA scan you should run yourself before submission.
Laurens Dauchy · May 16, 2026 · 8 min read
More posts
- App Store9 min
Does Apple App Review check for hardcoded Stripe secret keys in 2026?
Apple does not scan IPA binaries for Stripe sk_live_ tokens, but every iOS user with strings can. The pattern, the fix, and why Stripe itself wants you off secret keys entirely.
Laurens Dauchy · May 16, 2026
- App Store9 min
Does Apple review check for hardcoded AWS credentials?
Apple does not scan IPAs for AWS access keys, session tokens, or root account keys. Why every AWS credential type leaks through review, and the IAM patterns that close the gap.
Laurens Dauchy · May 16, 2026
- App Store8 min
Does Apple scan for hardcoded Stripe secret keys?
Apple's automated scan is not the same thing as a credential scan. What Apple's static layer actually inspects, what it ignores, and the scanner you should run on your own IPA before submission.
Laurens Dauchy · May 16, 2026
- AI-coded apps8 min
Does Cursor AI save my hardcoded Stripe keys in the code?
Cursor's Privacy Mode is OFF by default on Free and Pro plans, which means prompts and code snippets reach Cursor's servers. What is stored, what is shared with model providers, and how to switch off.
Laurens Dauchy · May 16, 2026
- AI-coded apps9 min
Is the Supabase service_role key visible in Lovable apps?
If your Lovable.dev app initialises with the Supabase service_role key, it is visible to every visitor and bypasses every RLS policy. The fix order, and how to verify.
Laurens Dauchy · May 16, 2026
- AI-coded apps10 min
Lovable.dev Supabase RLS bypass: how it happens, how to fix it
The CVE-2025-48757 attack vector that exposed 170+ Lovable apps, why Lovable's own security scan misses it, and the policy patterns that actually close the gap.
Laurens Dauchy · May 16, 2026
- AI-coded apps10 min
Lovable.dev exposed your Supabase service_role key. What now?
The exact rotation order when a Lovable.dev project shipped the Supabase service_role key, plus the recovery steps Lovable's incident response page omits.
Laurens Dauchy · May 16, 2026
- AI-coded apps9 min
Why my Lovable Supabase data is still public even with RLS enabled
Enabling Row Level Security is not the same as writing a policy that filters anything. Why USING (true) is the AI's default, and the patterns that actually scope access.
Laurens Dauchy · May 16, 2026
- App Store8 min
Replit Agent ITMS-90078 error: what it actually means, and the fix
ITMS-90078 is the Missing Push Notification Entitlement error, not missing icon. Why Replit Agent builds trigger it, and the two fixes that pass App Store validation.
Laurens Dauchy · May 16, 2026
- AI-coded apps9 min
Supabase anon key vs service_role key: which goes where
What each Supabase API key actually does, why one is safe in the client and the other is not, and what changed with the new sb_publishable and sb_secret formats.
Laurens Dauchy · May 16, 2026
- Security9 min
The 10-minute mobile app security checklist
Ten checks every Android or iOS app should pass before launch — what to scan for, why each one matters, and the order to fix them in.
Laurens Dauchy · May 16, 2026