Security

    Does App Review check your Supabase or Firebase backend rules?

    A diagram in 2026 showing App Review inspecting an iOS app binary and its on-screen behavior on one side of a line, with a Supabase and Firebase backend and its Row Level Security rules on the other side, outside Apple's review

    You submitted the app, the backend is connected, and now you are wondering whether App Review will catch an open Supabase table or a loose Firebase rule before it ships. The honest answer is reassuring in one direction and uncomfortable in the other: Apple will not audit your backend rules, which also means it will not save you from a weak one.

    Short answer

    No, App Review does not check your Supabase Row Level Security or Firebase Security Rules. Apple's Guideline 2.1 asks you to keep your back-end service on during review so the app is testable, and reviewers exercise the app against that live backend. They do not log into your database or inspect your server-side authorization. Apple reviews the binary and the app's observable behavior, so a misconfigured RLS policy passes review as long as the app appears to work.

    What you should know

    • App Review needs your backend live: Guideline 2.1 requires the back-end service on, with demo credentials, so the app is testable.
    • It checks behavior, not configuration: reviewers tap through the app; they do not read your RLS policies or Firebase rules.
    • RLS is off by default: in Supabase, every table is reachable by the public anon key until you enable Row Level Security.
    • Firebase rules are not automatic: they are a developer-configured authorization layer you must write, test, and deploy.
    • Passing review is not a backend audit: a clean approval says nothing about whether your database is locked down.

    What does App Review actually check on your backend?

    It checks that the backend is reachable and that the app works against it, not that the backend is secure. Apple's Guideline 2.1 explicitly tells you to turn on your back-end service and provide a demo account so a reviewer can sign in and use the app. From there the review is about behavior: does the app crash, does a feature load, does the content match the description, does the app collect data it did not declare. A common rejection in this area is a backend that returns errors because it does not recognize Apple's review IP range, which makes the app look broken. That is a functionality check, not a security audit.

    Where is the line between the binary and your backend?

    The line is observability. App Review works as a black box that sees two things: the binary you upload and the behavior that binary produces against your live services. It reads the compiled app for declared permissions, linked SDKs, and transport settings, and it watches what the app does on screen and over the network. Your server-side authorization, the RLS policy or Firebase rule that decides whether a request is allowed, sits on the other side of that line, on infrastructure Apple never touches.

    LayerReviewed by App Review?Who secures it
    App binary (permissions, SDKs, transport, stored secrets)Yes, read from the uploadYou, verified by a scan
    App behavior on device and over the networkYes, observed during reviewYou
    Backend uptime and basic functionalityYes, must be live per Guideline 2.1You
    Supabase RLS or Firebase Security RulesNoYou, tested live

    Keep this boundary in mind: anything inside the binary or visible in behavior can be reviewed, and anything that lives only on your server cannot. For the related question of whether Apple reads keys inside the binary, see does App Review check API keys.

    So who is responsible for your Supabase or Firebase rules?

    You are, fully. Firebase documents Security Rules as a developer-configured authorization layer that you write, test in an emulator, and deploy, not as automatic protection. Supabase Row Level Security is off by default, so until you enable it per table and write policies, the public anon key can read or write data it should not. Neither platform turns this on for you, and neither store reviews it. The practical consequence is that the strongest protection for your data is configured and tested by you, before and after submission, independent of whether the app passes review.

    Can a reviewer still notice a backend problem?

    Sometimes, but only when it surfaces in behavior. If a misconfigured backend leaks another user's data into the app's interface, or the app sends data over plain HTTP that App Transport Security would flag, a reviewer can see that and reject under the data and security guidelines. Apple's safety rules require apps to implement appropriate measures to prevent unauthorized access to user information. The limit is that this is incidental: the reviewer notices a visible symptom, not the underlying RLS gap. A backend that is wide open but never exposes the wrong data on screen during a short review will pass, which is exactly why a clean approval is not evidence that the rules are correct.

    What to watch out for

    The trap is false comfort. A submitted app that gets approved feels validated, and it is easy to read that approval as a security pass, but App Review never tested your authorization layer. Treat the boundary as a division of labor: Apple checks the binary and behavior, you secure the backend. A pre-submission scan such as PTKD.com (https://ptkd.com) covers the binary side, reading the compiled APK, AAB, or IPA against OWASP MASVS for exposed keys, weak transport, and risky permissions, while your Supabase or Firebase rules need their own live tests where you confirm an unauthenticated request is actually refused. The two together close the gap that neither App Review nor a single tool closes alone.

    What to take away

    • App Review does not inspect your Supabase RLS or Firebase rules; Guideline 2.1 only requires the backend to be live so the app is testable.
    • The boundary is observability: Apple reviews the binary and behavior, not server-side authorization it cannot see.
    • Backend security is yours to own; RLS is off by default in Supabase, and Firebase rules protect nothing until you write and deploy them.
    • Pair a binary-side pre-submission scan such as PTKD.com with your own live tests of the backend rules, because a clean approval is not proof your database is locked down.
    • #app-review
    • #supabase-rls
    • #firebase-security-rules
    • #backend-security
    • #guideline-2-1
    • #owasp-masvs
    • #ios

    Frequently asked questions

    Does Apple test my Supabase Row Level Security during review?
    No. App Review requires your backend to be live so the app is testable, but reviewers do not log into your Supabase project or inspect your Row Level Security policies. They exercise the app and observe its behavior. A table left open by the public anon key passes review as long as nothing visibly breaks, because Apple reviews the binary and behavior, not your database configuration.
    If my Firebase rules are wrong, will App Review reject my app?
    Almost never on that basis alone. Apple does not read your Firebase Security Rules. A reviewer would only notice a problem if it surfaces in behavior, for example another user's data appearing in the interface. Firebase rules are a developer-configured authorization layer you must write, test, and deploy; they are not reviewed by Apple and are not secure until you set them.
    Why does Apple make me turn on my backend for review then?
    So the app is testable. Guideline 2.1 asks you to keep the back-end service on and provide demo credentials so a reviewer can sign in and use the features. This is a functionality check: the app must work against a live backend. It is not a security review of that backend, and a common rejection is a backend that errors out because it does not recognize Apple's review IP range.
    Does passing App Review mean my backend is secure?
    No. Approval means the app met the App Store Review Guidelines for the binary and observable behavior. It is not a backend audit. App Review never tested your authorization layer, so an open database can sit behind an approved app. Treat approval as a store-compliance result, and secure and test your Supabase or Firebase rules separately.
    What should I check on the backend before submitting?
    Enable Supabase Row Level Security on every table and write policies, then test that an unauthenticated request is refused. For Firebase, write and deploy Security Rules and verify them in the emulator. Keep secrets server-side rather than in the client bundle. None of this is reviewed by Apple, so confirm it yourself with live tests rather than assuming review will catch a gap.

    Keep reading

    Scan your app in minutes

    Upload an APK, AAB, or IPA. PTKD returns an OWASP-aligned report with copy-paste fixes.

    Try PTKD free