Mapspoto
Menu
Download Terms Privacy Impressum Child Safety Account Deletion

Security Practices Appendix

Last updated: 2026-05-05

Architecture overview

MapSpoto uses Expo / React Native on the frontend and Supabase for authentication, database, storage, and realtime features on the backend.

The stack itself is not a security guarantee, but it gives us mature building blocks for authentication, permissions, and database controls that we can use to enforce stricter access rules.

Database access control

MapSpoto uses PostgreSQL Row Level Security (RLS) to restrict data access.

This means regular clients can only read data they are permitted to see. They cannot access other users' non-public data through normal app interfaces.

We do not publish large SQL policies directly on the website, but we do keep reviewing and tightening database access rules.

Account and password security

The account system is built on Supabase Auth.

Developers cannot see your plaintext password. Password storage and verification are handled by the authentication system.

Frontend key handling

The app frontend uses only a restricted anonymous access key (Anon Key) to connect to the backend.

High-privilege service keys are not embedded in frontend code or bundled into the app.

Security checks

We use third-party tools and platform features to check for common security issues, for example:

  • Supabase Security Advisor to review database, RLS, and storage access settings.
  • Dependency security scanning to detect known issues in third-party packages.
  • Code scanning tools to look for common security mistakes and misconfigurations.
  • Secret scanning to confirm that high-privilege keys or sensitive environment variables were not committed by mistake.

Latest dependency security check (May 5, 2026, version 1.3.0)

We completed a frontend dependency security review and updated or tightened the packages involved in the high-risk and medium-risk findings from this round.

The current result is: Critical 0 / High 0 / Moderate 0 / Low 0.

The current Yarn Audit report shows no dependency vulnerabilities.

After the dependency updates, we completed install, lint, automated tests, and Expo Doctor verification. The remaining Expo Doctor note is an Expo SDK patch-version upgrade recommendation and was not introduced by this security fix.

Check tool: Yarn Audit. The raw report is available for download.

Download the raw Yarn Audit report (JSON)

Latest secret scanning result (May 5, 2026, version 1.3.0)

We also ran gitleaks to scan the currently version-controlled source files for accidentally committed secrets.

The current result is: 0 findings.

This scan covered only the current Git-tracked source files. It did not include Git history or locally generated build files.

Check tool: gitleaks. The raw report is available for download.

Download the raw gitleaks report (JSON)

Latest code security scan (May 5, 2026, version 1.3.0)

We also used Semgrep to run a static security scan on the currently version-controlled frontend source files.

The current result is: 0 findings.

This scan was rerun after a type-only syntax cleanup. The current result contains no security findings and no parsing warnings.

Check tool: Semgrep. The raw report is available for download.

Download the raw Semgrep report (JSON)

Latest mobile security check (May 5, 2026, version 1.3.0)

We used MobSF to run static security analysis on the iOS and Android packages for MapSpoto.

The iOS result was: 64/100 (Low Risk), with no High-risk findings. App Transport Security and location permission settings were rechecked.

The Android result was: 55/100 (Medium Risk). The Android minimum supported version has been raised to Android 10 (API 29), and the signing check passed.

Two remaining static findings have been reviewed and accepted: Android WebView debugging is reported against static code in the third-party react-native-webview library; the app's business WebView explicitly sets webviewDebuggingEnabled={false}, and the Release build does not enable android:debuggable, so this is treated as a static false positive / accepted risk. iOS Debug Symbols are still reported for the main binary and Hermes framework; this does not expose user data or grant additional permissions, but may make reverse engineering easier, so it is recorded as an accepted risk while we continue to improve the build pipeline.

Check tool: MobSF. The raw reports are available for download.

Download the iOS MobSF report (PDF)

Download the Android MobSF report (PDF)

Recent improvement areas

  • Tightening public profile fields to reduce unnecessary exposure of personal information.
  • Removing overly broad public storage access so that entire buckets cannot be listed publicly.
  • Simplifying profile completeness rules so that contact details and similar sensitive fields are not treated as required profile signals.

Scope and limits

We will keep improving security settings and product logic, but we do not claim the app is “absolutely secure.”

Security is an ongoing process. If we find new problems, we will continue to fix and tighten them.

Back to Privacy Policy
Canonical URL: https://www.mapspoto.com/security-practices/en/