Security

    Can App Store reviewers see my Supabase database?

    A 2026 view showing an App Store reviewer using an app as a normal client while Supabase Row Level Security, not the public anon key, controls what data any client can read

    The worry behind this question is reasonable, but it points at the wrong threat. App Store reviewers do not log into your Supabase project or query your tables. They test your app the way any user would. So the real question is not whether a reviewer can see your data, but what your app exposes to anyone holding the anon key, because that is the surface a reviewer, or anyone else, actually touches. Here is who can see what, and how to make sure the answer is "only what you intended."

    Short answer

    No, App Store reviewers do not get direct access to your Supabase database. They interact with your app as a normal client, so what they can see is whatever your app exposes through the anon key and your Row Level Security policies. That is the point that matters: the Supabase anon key is meant to be public and ships in your app, so if RLS is off or a policy is set to true, your data is readable by every client, a reviewer included, and by anyone who extracts the key from your binary. The protection is correct RLS, not hiding the key.

    What you should know

    • Reviewers test the app, not the database: they have no direct access to your Supabase project.
    • The anon key is public: it ships in your app and is not a secret.
    • RLS is the real guard: Row Level Security decides what any client can read or write.
    • true policies expose everything: a policy that allows all makes the table public.
    • The risk is not the reviewer: it is anyone with the anon key and weak RLS.

    Do App Store reviewers access your database directly?

    No. App Review evaluates your app by running it on a device against the App Review Guidelines, the same way a user would. Reviewers do not have your Supabase dashboard login, your database password, or any direct connection to your Postgres instance, so they cannot browse your tables. What they can do is use the app, and the app talks to Supabase with the anon key over its API. So anything the app can fetch and display, a reviewer can see, and anything your RLS blocks, the app cannot fetch in the first place. The reviewer is just a client, with no special access beyond what your own configuration grants every client.

    What can actually be seen, and by whom?

    The answer depends entirely on your Row Level Security. The table makes the access model concrete.

    WhoDirect database access?What they can read
    App Store reviewerNoOnly what the app exposes via the anon key and RLS
    A normal userNoOnly what RLS allows for their role
    Anyone with the anon keyNo dashboard accessEverything if RLS is off or set to true
    You, the developerYes, via the dashboardEverything

    The pattern is clear: nobody outside your team gets dashboard access, but everybody outside your team gets exactly what RLS permits through the public anon key. A reviewer is not a privileged case; the exposure is the same for any client.

    How do you make sure your data is protected?

    Enable Row Level Security on every table and write policies that scope access to the right user. The default posture should be that RLS is on and a row is only readable or writable by the user who owns it, typically by matching the authenticated user's ID against a column on the row. Avoid policies that evaluate to true for everyone, since those make the table public regardless of how the key is handled. Keep the service_role key, which bypasses RLS entirely, out of the app and on your server only. Done this way, the anon key shipping in the binary is fine, because RLS, not secrecy, is what stops a client from reading data it should not.

    What to watch out for

    The first trap is treating the anon key as a secret to hide, when it is designed to be public; effort spent obfuscating it is wasted if RLS is weak. The second is a policy set to true during development and never tightened, which leaves the table open to every client. The third is the service_role key accidentally bundled into the app, which bypasses RLS completely and exposes everything. A pre-submission scan such as PTKD.com (https://ptkd.com) reads the compiled APK, AAB, or IPA against OWASP MASVS and surfaces the Supabase endpoint and any keys embedded in the build, so you can confirm only the anon key ships and then verify your RLS is doing the protecting. Fixing the RLS itself is work you do in Supabase.

    What to take away

    • App Store reviewers do not access your Supabase database directly; they use the app like any client.
    • What they, and anyone with the anon key, can see is determined entirely by your Row Level Security.
    • The anon key is public by design, so the protection is correct RLS, not hiding the key, and the service_role key must never ship in the app.
    • Use a pre-submission scan such as PTKD.com to confirm which keys are in your binary, then verify your RLS scopes every table correctly.
    • #supabase
    • #row-level-security
    • #anon-key
    • #app-review
    • #database-security
    • #rls
    • #ios

    Frequently asked questions

    Can App Store reviewers see my Supabase database?
    Not directly. Reviewers do not have your Supabase dashboard login or any connection to your Postgres instance, so they cannot browse your tables. They run your app as a normal client, so they see only what the app fetches through the anon key and what your Row Level Security allows. Anything RLS blocks, the app cannot fetch, so the reviewer cannot see it either.
    Is the Supabase anon key a secret?
    No. The anon key is designed to be public and ships in your app, so trying to hide it is not the protection. It identifies your project and lets clients call the API, but what those calls can read or write is decided by Row Level Security. The key you must keep secret is the service_role key, which bypasses RLS and must live only on your server, never in the app.
    What actually protects my Supabase data?
    Row Level Security. With RLS enabled and policies that scope each row to the right user, a client, including a reviewer, can only read or write what the policy allows. The common failure is a policy set to true, which makes the table public to every client holding the anon key. Enable RLS on every table, match rows to the authenticated user, and keep the service_role key off the device.
    If reviewers can't see it, why does my data leak?
    Because the reviewer was never the threat. The anon key is public and ships in your binary, so anyone, not just a reviewer, can call your API with it. If RLS is off or set to true, every one of those callers can read your tables. The leak comes from weak RLS combined with a public key, which is exactly why the fix is correct policies rather than worrying about who is reviewing the app.
    How do I check what my app exposes?
    Confirm which keys are in your binary, then verify your RLS. A pre-submission scan such as PTKD.com reads the compiled APK, AAB, or IPA against OWASP MASVS and surfaces the Supabase endpoint and any embedded keys, so you can be sure only the anon key ships and the service_role key does not. With that confirmed, test your Row Level Security policies in Supabase to ensure each table is scoped to the right user.

    Keep reading

    Scan your app in minutes

    Upload an APK, AAB, or IPA. PTKD returns an OWASP-aligned report with copy-paste fixes.

    Try PTKD free