Security Scanner for FlutterFlow Apps
FlutterFlow generates Flutter apps for web and mobile, typically backed by Firebase or Supabase. The client code is only half the story: open Firestore security rules and missing RLS policies expose your data to anyone with the (public by design) project config. SimplyScan tests your deployed web app and its backend exposure.
Top Vulnerabilities in FlutterFlow Apps
- Open Firestore Security Rules · Test-mode rules (allow read, write: if true) regularly reach production, making the entire database readable and writable by anyone with your public Firebase config.
- Missing Supabase RLS · FlutterFlow's Supabase integration uses the anon key in the client · tables without Row Level Security are fully exposed.
- API Keys in Custom Actions · Custom code actions frequently embed third-party API keys, which ship in the compiled web bundle where anyone can extract them.
- Unvalidated Client Writes · Apps that write directly to Firestore or Supabase from the client, without validation rules, allow attackers to forge any field · roles, prices, flags.
- Missing Web Security Headers · FlutterFlow web deployments typically lack CSP, X-Frame-Options, and HSTS unless configured on the hosting side.
How SimplyScan Helps
- 51+ automated security and speed checks
- GitHub repository scanning for source-level issues
- Actionable fix guidance with severity ratings
- Downloadable PDF reports
Keep Reading
Scan Other Platforms
Scan your FlutterFlow app free →