Skip to content

feat: Add Supabase credential detection and security analysis#1

Open
chukfinley wants to merge 10 commits intotusharonly:mainfrom
chukfinley:main
Open

feat: Add Supabase credential detection and security analysis#1
chukfinley wants to merge 10 commits intotusharonly:mainfrom
chukfinley:main

Conversation

@chukfinley
Copy link
Copy Markdown

@chukfinley chukfinley commented Jan 12, 2026
edited
Loading

Summary

  • Supabase Credential Detection: Automatically detects Supabase project URLs and keys embedded in APK files
  • Security Analysis: Tests found credentials against Supabase Storage API to identify exposed buckets
  • Enhanced UI: New results page for displaying Supabase findings with actionable insights
  • Share Functionality: Added ability to share analysis results via share_plus
  • Settings Improvements: New settings service for app configuration

Key Features

Supabase Key Detection (Both Formats!)

  • New format: sb_publishable_xxx or sb_secret_xxx (always detected)
  • Old JWT format: eyJhbG... (validated to ensure it's actually Supabase)

Smart JWT Validation

Unlike Firebase keys (which have unique AIza prefix), JWT tokens are used by many services. We now decode the JWT payload and check for Supabase-specific fields:

  • "iss" containing "supabase"
  • "role": "anon" / "authenticated" / "service_role"

This eliminates false positives from Auth0, Firebase Auth, Stripe, etc.

Flutter App Support

  • Scans .so native library files where Flutter stores compiled strings
  • Works with both native Android and Flutter apps

Changes

New Files

  • lib/src/services/supabase_service.dart - Credential validation and bucket enumeration
  • lib/src/pages/supabase_results_page.dart - UI for Supabase analysis results
  • lib/src/services/settings_service.dart - App settings management

Modified Files

  • Enhanced APK analyzer with Supabase detection
  • Improved app tile widget with expanded functionality
  • Updated settings page with new options
  • Added share_plus dependency

Test Plan

  • Detect Supabase in Flutter apps (tested with Chuck.Chat)
  • Support both old JWT and new sb_publishable key formats
  • Validate JWTs to filter out non-Supabase tokens
  • Security check identifies vulnerable Supabase instances
  • Test bucket accessibility checks on vulnerable apps

🤖 Generated with Claude Code

chukfinley and others added 4 commits January 12, 2026 12:21
@chukfinley @claude
feat: add Supabase credential detection and analysis
1b381eb 
- Add SupabaseService for detecting Supabase project URLs and anon keys in APKs
- Add SupabaseResultsPage to display found credentials and test bucket access
- Add SettingsService for app configuration
- Add share_plus for sharing analysis results
- Enhanced APK analyzer to extract and validate Supabase credentials
- Improved app_tile widget with expanded functionality
- Updated settings page with new configuration options

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@chukfinley @claude
fix: improve Supabase detection for Flutter apps
08fc30b 
- Scan .so files where Flutter stores compiled strings (libapp.so)
- Detect Supabase if URL OR key found (not just when both present)
- Security check still requires both URL and key to run tests

This fixes detection for Flutter apps like Chuck.Chat that use Supabase
but weren't being detected because their credentials are in native libs.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@chukfinley @claude
fix: support new Supabase key format (sb_publishable_)
a5d8a79 
Supabase changed their key format from JWT (eyJ...) to a new format:
- Old: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ...
- New: sb_publishable_xxx or sb_secret_xxx

Now detects both formats for backwards compatibility.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@chukfinley @claude
fix: improve JWT validation to detect real Supabase keys only
a6d228f 
- Decode JWT payload and check for Supabase-specific fields
- Only match JWTs with "iss" containing "supabase" or role fields
- This eliminates false positives from other services (Auth0, Firebase Auth, etc.)
- Updated UI labels for consistency

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@tusharonly
Copy link
Copy Markdown
Owner

tusharonly commented Jan 12, 2026

Thanks for this. Give me some time I'll review and merge if everything looks good.

@tusharonly
Copy link
Copy Markdown
Owner

tusharonly commented Jan 12, 2026

Could you please also update the Readme file.

@chukfinley @claude
docs: update README with Supabase support
d1b6c49 
- Updated title to reflect Firebase & Supabase scanning
- Added Supabase detection features section
- Documented Flutter app support (.so file scanning)
- Added smart JWT validation description
- Updated filtering options
- Added bug bounty hunters use case

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@tusharonly
Copy link
Copy Markdown
Owner

tusharonly commented Jan 12, 2026

I tested your code locally the Firebase remote config logic works perfectly with your Supabase logic but I don't have any Supabase app that has there config exposed can you share some apps that are vulnerable so that I can install them on my device and have the code tested.

chukfinley and others added 5 commits January 12, 2026 16:05
@chukfinley @claude
feat: add search and manual scan mode
6527e5d 
UI Improvements:
- Added search functionality (search icon in app bar)
- Changed to manual scan mode - users must press "Start Scan" button
- Show scan prompt with app count before scanning
- Search works on app name and package ID
- Search results update in real-time

This gives users more control and makes it easier to find specific apps
in large app lists.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@chukfinley @claude
feat: improve Supabase table detection with schema discovery
b2548e7 
- Expanded common table names list from 20 to 55+ names
- Added security-sensitive table names (secrets, credentials, etc.)
- Implemented PostgREST OpenAPI schema discovery
- Automatically discovers tables from the API schema endpoint
- Falls back to common table names if schema discovery fails

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@chukfinley @claude
feat: redesign Supabase results page to match Firebase UI
6108f20 
- Unified UI design with List/Table/JSON view modes (matching Firebase)
- SegmentedButton view switcher for consistent navigation
- Display Project URL and Anon Key as info cards
- Exposed tables, buckets, and files shown as finding cards
- Expandable cards for large data with expand/collapse
- Bottom sheet detail view on long press
- Share and copy buttons in app bar
- JSON view with dark theme code block
- Table view with Type/Name/Details columns
- All findings color-coded by type (table=purple, bucket=orange, file=blue)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@chukfinley @claude
docs: update README with new features
3dbd1f8 
- Added Schema Discovery feature for Supabase
- Added unified UI for List/Table/JSON views
- Added Search functionality
- Added Manual Scan Mode

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@chukfinley @claude
feat: combine Overview and List/Table/JSON views in Supabase page
3cb7828 
- Added Overview tab with category-based display (credentials, stats, tables, buckets, files)
- List view shows all findings as unified cards
- Table view shows data in a spreadsheet format
- JSON view shows raw data with dark theme
- All views have copy/share functionality
- Expandable cards for sample data preview

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@chukfinley
Copy link
Copy Markdown
Author

chukfinley commented Jan 12, 2026

Supabase Security Detection - Complete Implementation

Hey @tusharonly! This PR adds comprehensive Supabase security scanning alongside the existing Firebase functionality.

Note: This entire PR was implemented by Claude Code (AI coding assistant). The human developer (@chukfinley) provided direction and testing.

Features Added

Supabase Credential Detection:

  • Extracts project URLs (*.supabase.co) and API keys from APKs
  • Supports both JWT format (eyJ...) and new format (sb_publishable_...)
  • Smart JWT validation to filter out non-Supabase tokens (Auth0, Firebase Auth, etc.)
  • Scans Flutter native libraries (.so files) where compiled strings are stored

Security Analysis:

  • Detects exposed database tables (55+ common table names + dynamic schema discovery)
  • Finds public storage buckets
  • Lists exposed storage objects
  • PostgREST OpenAPI schema introspection for automatic table discovery

UI Improvements:

  • Search bar to find apps by name
  • Manual scan mode - "Start Scan" button instead of auto-scan
  • Supabase results page with 4 view modes:
    • Overview: Category-based display with credentials, stats, tables, buckets, files
    • List: Unified card view of all findings
    • Table: Spreadsheet-style data view
    • JSON: Raw data with dark theme code block
  • All views support copy/share functionality

Test App Available

I created an intentionally insecure Flutter app for testing:

The Supabase instance has:

  • 3 exposed tables (test_secrets, users_exposed, app_config)
  • 3 public buckets (public-uploads, user-documents, backups)
  • RLS policies allowing anonymous full access

README Updated

Added documentation for all new Supabase features, search functionality, and manual scan mode.

Generated by Claude Opus 4.5 via Claude Code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chukfinley @tusharonly