mobile-security
Mobile application security skill for implementing OWASP MASVS compliance, secure storage, certificate pinning, biometric authentication, and security hardening across iOS and Android platforms.
509 stars
bya5c-ai
Best use case
mobile-security is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Mobile application security skill for implementing OWASP MASVS compliance, secure storage, certificate pinning, biometric authentication, and security hardening across iOS and Android platforms.
Teams using mobile-security should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
$curl -o ~/.claude/skills/mobile-security/SKILL.md --create-dirs "https://raw.githubusercontent.com/a5c-ai/babysitter/main/library/specializations/mobile-development/skills/mobile-security/SKILL.md"
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/mobile-security/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How mobile-security Compares
| Feature / Agent | mobile-security | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Mobile application security skill for implementing OWASP MASVS compliance, secure storage, certificate pinning, biometric authentication, and security hardening across iOS and Android platforms.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Mobile Security Skill
Comprehensive mobile application security implementation for iOS and Android platforms, covering OWASP Mobile Security guidelines, secure storage, authentication, and security hardening.
## Overview
This skill provides capabilities for implementing mobile security best practices, including secure data storage, network security, authentication mechanisms, and compliance with OWASP Mobile Application Security Verification Standard (MASVS).
## Capabilities
### Secure Storage Implementation
- Configure iOS Keychain Services for sensitive data
- Set up Android Keystore for cryptographic operations
- Implement encrypted SharedPreferences/UserDefaults
- Manage secure key generation and storage
- Handle secure credential management
### Certificate Pinning
- Implement TrustKit for iOS certificate pinning
- Configure OkHttp CertificatePinner for Android
- Set up Network Security Config (Android)
- Configure App Transport Security (iOS)
- Validate and rotate pinned certificates
### Biometric Authentication
- Implement Face ID and Touch ID for iOS
- Configure Fingerprint/BiometricPrompt for Android
- Handle fallback authentication mechanisms
- Manage biometric enrollment states
- Secure biometric-protected keychain/keystore items
### Security Hardening
- Implement jailbreak/root detection
- Configure code obfuscation (ProGuard/R8, Swiftshield)
- Set up anti-tampering mechanisms
- Implement runtime integrity checks
- Configure secure debugging settings
### OWASP MASVS Compliance
- Audit against MASVS Level 1 and Level 2
- Generate compliance checklists
- Identify security vulnerabilities
- Recommend remediation strategies
- Document security controls
## Prerequisites
### iOS Development
```bash
# TrustKit for certificate pinning
pod 'TrustKit'
# Keychain wrapper
pod 'KeychainAccess'
```
### Android Development
```groovy
// build.gradle
dependencies {
implementation 'androidx.security:security-crypto:1.1.0-alpha06'
implementation 'androidx.biometric:biometric:1.1.0'
}
```
### Security Tools
```bash
# OWASP Mobile Security Testing Guide tools
pip install objection
brew install frida-tools
```
## Usage Patterns
### iOS Keychain Storage
```swift
import Security
class KeychainManager {
static func save(key: String, data: Data) -> Bool {
let query: [String: Any] = [
kSecClass as String: kSecClassGenericPassword,
kSecAttrAccount as String: key,
kSecValueData as String: data,
kSecAttrAccessible as String: kSecAttrAccessibleWhenUnlockedThisDeviceOnly
]
SecItemDelete(query as CFDictionary)
let status = SecItemAdd(query as CFDictionary, nil)
return status == errSecSuccess
}
static func load(key: String) -> Data? {
let query: [String: Any] = [
kSecClass as String: kSecClassGenericPassword,
kSecAttrAccount as String: key,
kSecReturnData as String: true,
kSecMatchLimit as String: kSecMatchLimitOne
]
var result: AnyObject?
let status = SecItemCopyMatching(query as CFDictionary, &result)
return status == errSecSuccess ? result as? Data : nil
}
}
```
### Android EncryptedSharedPreferences
```kotlin
import androidx.security.crypto.EncryptedSharedPreferences
import androidx.security.crypto.MasterKey
class SecureStorage(context: Context) {
private val masterKey = MasterKey.Builder(context)
.setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
.build()
private val sharedPreferences = EncryptedSharedPreferences.create(
context,
"secure_prefs",
masterKey,
EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM
)
fun saveToken(token: String) {
sharedPreferences.edit().putString("auth_token", token).apply()
}
fun getToken(): String? {
return sharedPreferences.getString("auth_token", null)
}
}
```
### Certificate Pinning (iOS - TrustKit)
```swift
import TrustKit
class NetworkSecurityManager {
static func configurePinning() {
let trustKitConfig: [String: Any] = [
kTSKSwizzleNetworkDelegates: false,
kTSKPinnedDomains: [
"api.example.com": [
kTSKEnforcePinning: true,
kTSKIncludeSubdomains: true,
kTSKExpirationDate: "2027-01-01",
kTSKPublicKeyHashes: [
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB="
]
]
]
]
TrustKit.initSharedInstance(withConfiguration: trustKitConfig)
}
}
```
### Certificate Pinning (Android - OkHttp)
```kotlin
import okhttp3.CertificatePinner
import okhttp3.OkHttpClient
val certificatePinner = CertificatePinner.Builder()
.add("api.example.com", "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=")
.add("api.example.com", "sha256/BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=")
.build()
val client = OkHttpClient.Builder()
.certificatePinner(certificatePinner)
.build()
```
### Biometric Authentication (iOS)
```swift
import LocalAuthentication
class BiometricAuth {
func authenticate(completion: @escaping (Bool, Error?) -> Void) {
let context = LAContext()
var error: NSError?
if context.canEvaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, error: &error) {
context.evaluatePolicy(
.deviceOwnerAuthenticationWithBiometrics,
localizedReason: "Authenticate to access secure data"
) { success, error in
DispatchQueue.main.async {
completion(success, error)
}
}
} else {
completion(false, error)
}
}
}
```
### Biometric Authentication (Android)
```kotlin
import androidx.biometric.BiometricPrompt
import androidx.fragment.app.FragmentActivity
class BiometricAuth(private val activity: FragmentActivity) {
fun authenticate(onSuccess: () -> Unit, onError: (String) -> Unit) {
val executor = ContextCompat.getMainExecutor(activity)
val biometricPrompt = BiometricPrompt(activity, executor,
object : BiometricPrompt.AuthenticationCallback() {
override fun onAuthenticationSucceeded(result: BiometricPrompt.AuthenticationResult) {
onSuccess()
}
override fun onAuthenticationError(errorCode: Int, errString: CharSequence) {
onError(errString.toString())
}
})
val promptInfo = BiometricPrompt.PromptInfo.Builder()
.setTitle("Biometric Authentication")
.setSubtitle("Authenticate to access secure data")
.setNegativeButtonText("Cancel")
.build()
biometricPrompt.authenticate(promptInfo)
}
}
```
## Integration with Babysitter SDK
### Task Definition Example
```javascript
const mobileSecurityTask = defineTask({
name: 'mobile-security-implementation',
description: 'Implement mobile security controls',
inputs: {
platform: { type: 'string', required: true, enum: ['ios', 'android', 'both'] },
securityLevel: { type: 'string', required: true, enum: ['L1', 'L2'] },
features: { type: 'array', items: { type: 'string' } },
projectPath: { type: 'string', required: true }
},
outputs: {
implementedControls: { type: 'array' },
complianceReport: { type: 'object' },
securityAuditPath: { type: 'string' }
},
async run(inputs, taskCtx) {
return {
kind: 'skill',
title: `Implement ${inputs.securityLevel} security for ${inputs.platform}`,
skill: {
name: 'mobile-security',
context: {
operation: 'implement_security',
platform: inputs.platform,
securityLevel: inputs.securityLevel,
features: inputs.features,
projectPath: inputs.projectPath
}
},
io: {
inputJsonPath: `tasks/${taskCtx.effectId}/input.json`,
outputJsonPath: `tasks/${taskCtx.effectId}/result.json`
}
};
}
});
```
## MCP Server Integration
### Using owasp-mobile-security-checker
```json
{
"mcpServers": {
"owasp-mobile": {
"command": "npx",
"args": ["owasp-mobile-security-checker"],
"env": {
"PROJECT_PATH": "/path/to/mobile/project"
}
}
}
}
```
### Available MCP Tools
- `owasp_scan_ios` - Scan iOS project for OWASP vulnerabilities
- `owasp_scan_android` - Scan Android project for OWASP vulnerabilities
- `check_keychain_usage` - Validate iOS Keychain implementation
- `check_keystore_usage` - Validate Android Keystore implementation
- `validate_certificate_pinning` - Check certificate pinning configuration
- `audit_biometric_auth` - Audit biometric authentication implementation
## OWASP MASVS Checklist
### Storage (MASVS-STORAGE)
- [ ] Sensitive data not stored in plaintext
- [ ] Sensitive data not in app logs
- [ ] Sensitive data not shared with third parties
- [ ] Keyboard cache disabled for sensitive inputs
- [ ] Clipboard disabled for sensitive data
- [ ] Sensitive data excluded from backups
### Cryptography (MASVS-CRYPTO)
- [ ] Strong cryptographic algorithms used
- [ ] Cryptographic keys properly managed
- [ ] Random number generation secure
- [ ] No deprecated crypto functions
### Authentication (MASVS-AUTH)
- [ ] Biometric authentication properly implemented
- [ ] Session management secure
- [ ] Password policies enforced
- [ ] Multi-factor authentication available
### Network (MASVS-NETWORK)
- [ ] TLS used for all connections
- [ ] Certificate pinning implemented
- [ ] Certificate validation not bypassed
- [ ] ATS/Network Security Config properly configured
### Platform (MASVS-PLATFORM)
- [ ] WebView properly configured
- [ ] Deep links validated
- [ ] IPC mechanisms secured
- [ ] Screenshots prevented for sensitive screens
### Code Quality (MASVS-CODE)
- [ ] Code obfuscation enabled
- [ ] Debugging disabled in release
- [ ] Root/jailbreak detection implemented
- [ ] Anti-tampering measures in place
## Best Practices
1. **Defense in Depth**: Layer multiple security controls
2. **Secure by Default**: Default to most secure configuration
3. **Least Privilege**: Request only necessary permissions
4. **Data Minimization**: Store only essential sensitive data
5. **Regular Audits**: Continuously assess security posture
6. **Key Rotation**: Implement certificate and key rotation plans
## References
- [OWASP Mobile Security Testing Guide](https://owasp.org/www-project-mobile-security-testing-guide/)
- [OWASP MASVS](https://mas.owasp.org/MASVS/)
- [Apple Security Documentation](https://developer.apple.com/documentation/security)
- [Android Security Best Practices](https://developer.android.com/topic/security/best-practices)
- [TrustKit iOS](https://github.com/datatheorem/TrustKit)
- [owasp-mobile-security-checker](https://claude-plugins.dev/skills/@Harishwarrior/flutter-claude-skills/owasp-mobile-security-checker)Related Skills
web-security
509
from a5c-ai/babysitter
OWASP Top 10, security headers, CSP, XSS prevention, and vulnerability prevention.
security-scanner
509
from a5c-ai/babysitter
Run security scans including SAST, dependency scanning, and secret detection
security-sandbox
509
from a5c-ai/babysitter
Isolated analysis environment management for malware and exploit testing. Create and manage isolated VMs, configure Cuckoo Sandbox, set up REMnux/FlareVM environments, manage Docker-based analysis containers, and capture filesystem and process changes.
Offensive Security Skill
509
from a5c-ai/babysitter
Offensive security tools and techniques integration
hardware-security
509
from a5c-ai/babysitter
Hardware and embedded security research capabilities. Interface with JTAG debuggers, analyze SPI/I2C communications, dump and analyze firmware, support fault injection, side-channel analysis, and hardware exploitation research.
cloud-security-testing
509
from a5c-ai/babysitter
Multi-cloud security assessment and penetration testing capabilities. Execute Prowler/ScoutSuite assessments, analyze IAM policies, identify cloud misconfigurations, test permissions, and enumerate cloud resources across AWS/GCP/Azure.
Burp Suite/Web Security Skill
509
from a5c-ai/babysitter
Web application security testing with Burp Suite integration
aiml-security
509
from a5c-ai/babysitter
AI/ML model security testing and adversarial research capabilities. Generate adversarial examples, test model robustness, perform model extraction attacks, test for data poisoning, analyze model fairness, and support ART framework integration.
vendor-security-questionnaire
509
from a5c-ai/babysitter
Automated vendor security assessment through questionnaire generation, response parsing, and risk scoring
owasp-security-scanner
509
from a5c-ai/babysitter
Automated OWASP Top 10 vulnerability detection and assessment. Run OWASP ZAP automated scans, detect injection vulnerabilities, identify broken authentication patterns, check for sensitive data exposure, analyze security misconfigurations, and generate OWASP-compliant reports.
multi-cloud-security-posture
509
from a5c-ai/babysitter
Unified cloud security posture management across AWS, Azure, and GCP with normalized metrics and CIS benchmark comparison
iac-security-scanner
509
from a5c-ai/babysitter
Infrastructure as Code security scanning and policy enforcement for Terraform, CloudFormation, Kubernetes, and Pulumi