AI Agent Skill HUB

mobile-security-expert

移动安全漏洞挖掘知识库,基于HackerOne公开报告提供Android和iOS应用的漏洞挖掘手法、技术细节和代码模式分析;用于安全研究人员和漏洞挖掘者学习参考、代码审计和漏洞检测指导。

16 stars
bydiegosouzapw
View on GitHubInstallation ↓

Best use case

mobile-security-expert is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

移动安全漏洞挖掘知识库,基于HackerOne公开报告提供Android和iOS应用的漏洞挖掘手法、技术细节和代码模式分析;用于安全研究人员和漏洞挖掘者学习参考、代码审计和漏洞检测指导。

Teams using mobile-security-expert should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/mobile-security-expert/SKILL.md --create-dirs "https://raw.githubusercontent.com/diegosouzapw/awesome-omni-skill/main/skills/development/mobile-security-expert/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/mobile-security-expert/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How mobile-security-expert Compares

Feature / Agentmobile-security-expertStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

移动安全漏洞挖掘知识库,基于HackerOne公开报告提供Android和iOS应用的漏洞挖掘手法、技术细节和代码模式分析;用于安全研究人员和漏洞挖掘者学习参考、代码审计和漏洞检测指导。

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# 移动安全漏洞挖掘知识库

## 任务目标
- 本 Skill 用于:基于 HackerOne 公开报告的移动安全漏洞挖掘指导与知识查询
- 能力包含:
  - Android 漏洞挖掘指导(业务逻辑缺陷、组件安全、数据存储、权限绕过等)
  - iOS 漏洞挖掘指导(URL Scheme、Deep Link、数据保护、API 安全等)
  - 漏洞案例查询和分析(真实报告手法总结)
  - 代码模式识别和漏洞检测(对比已知漏洞模式)
  - 挖掘工具使用指导(Drozer、Frida、Burp Suite 等)
- 触发条件:用户询问移动应用安全、漏洞挖掘方法、代码审计、HackerOne 案例分析等

## 操作步骤

### 标准流程

1. **需求识别与场景匹配**
   - 确定目标平台(Android/iOS)或跨平台
   - 识别漏洞类型(业务逻辑、组件安全、数据保护等)
   - 确定查询意图(学习指导、代码审计、案例参考)

2. **知识检索**
   - Android 相关:读取 [android.md](android.md),根据关键词定位相关案例
   - iOS 相关:读取 [ios.md](ios.md),根据关键词定位相关案例
   - 提取案例中的"挖掘手法"、"技术细节"、"易出现漏洞的代码模式"三部分

3. **分析与指导**
   - **挖掘手法指导**:根据案例中的详细步骤,为用户提供可操作的挖掘流程
   - **技术细节讲解**:解释漏洞的成因、利用方式和关键技术点
   - **代码模式识别**:对比用户提供的代码与已知的漏洞模式,指出潜在风险
   - **工具使用建议**:根据案例需要,推荐并指导使用相关安全测试工具

4. **输出组织**
   - 针对性回答用户问题,避免堆砌无关案例
   - 提供具体可执行的步骤和命令
   - 包含真实案例链接供深入参考
   - 如涉及代码分析,明确指出漏洞位置和修复建议

### 典型场景处理

**场景 A:如何挖掘特定类型漏洞**
- 查询相关文档,提取对应漏洞类型的案例
- 总结该类漏洞的通用挖掘思路和关键点
- 提供详细的步骤指导和工具使用方法

**场景 B:代码审计和漏洞检测**
- 读取文档中对应的"易出现漏洞的代码模式"
- 对比用户代码,识别相似模式
- 提供具体的漏洞点和修复建议

**场景 C:HackerOne 案例分析**
- 根据报告 URL 或漏洞名称,定位文档中的对应案例
- 总结该案例的核心挖掘手法和技术亮点
- 分析该手法在其他场景的可复用性

**场景 D:学习移动安全知识**
- 按平台和漏洞类型系统性地提供案例索引
- 从简单到复杂,推荐学习路径
- 强调实战经验和技巧

## 资源索引

### 核心参考资料
- **Android 漏洞知识库**:[android.md](android.md)
  - 内容:基于 100+ HackerOne 报告的 Android 漏洞案例
  - 用途:Android 应用漏洞挖掘指导、代码模式参考
  - 覆盖类型:业务逻辑缺陷、组件安全、数据存储、权限绕过、API 安全等

- **iOS 漏洞知识库**:[ios.md](ios.md)
  - 内容:基于 100+ HackerOne 报告的 iOS 漏洞案例
  - 用途:iOS 应用漏洞挖掘指导、代码模式参考
  - 覆盖类型:URL Scheme 处理、Deep Link 安全、数据保护、API 安全等

### 参考文档结构
每个案例包含三个核心部分:
1. **挖掘手法**:漏洞发现的具体步骤、工具使用、分析思路
2. **技术细节**:攻击流程、Payload 构造、关键技术点
3. **易出现漏洞的代码模式**:漏洞代码示例和修复建议

## 注意事项

- **上下文控制**:根据具体问题选择性阅读相关章节,避免一次性加载整个文档
- **实战导向**:重点提供可操作的挖掘步骤和工具使用方法,而非理论讲解
- **安全合规**:所有挖掘手法仅用于授权的安全测试和学习研究
- **案例真实性**:所有案例均来自 HackerOne 公开报告,附有原始报告链接
- **代码安全**:在分析用户代码时,仅识别漏洞模式,不执行代码本身

## 使用示例

### 示例 1:Android Activity 认证绕过挖掘
**功能说明**:学习如何挖掘 Android 应用的 Activity 认证绕过漏洞
**执行方式**:智能体分析 + 文档检索
**关键要点**:
- 使用 Drozer 枚举导出的 Activity 组件
- 测试敏感 Activity 是否需要认证
- 检查 AndroidManifest.xml 配置和代码逻辑

### 示例 2:iOS URL Scheme 漏洞分析
**功能说明**:分析 iOS 应用的 URL Scheme 处理是否存在安全漏洞
**执行方式**:智能体代码分析 + 文档参考
**关键要点**:
- 检查 Info.plist 中注册的 URL Scheme
- 分析 AppDelegate/SceneDelegate 中的 URL 处理逻辑
- 验证调用来源和参数校验

### 示例 3:2FA 逻辑缺陷挖掘
**功能说明**:指导如何发现移动应用的 2FA 实现逻辑漏洞
**执行方式**:智能体流程指导 + 工具使用建议
**关键要点**:
- 测试短信重发的速率限制
- 验证手机号码绑定时的授权检查
- 使用 Burp Suite 拦截和分析请求

Related Skills

multi-platform-apps-flutter-expert

16
from diegosouzapw/awesome-omni-skill

Master Flutter development with Dart 3, advanced widgets, and multi-platform deployment. Handles state management, animations, testing, and performance optimization for mobile, web, desktop, and embedded platforms. Use PROACTIVELY for Flutter architecture, UI implementation, or cross-platform features. Use when: the task directly matches flutter expert responsibilities within plugin multi-platform-apps. Do not use when: a more specific framework or task-focused skill is clearly a better match.

mongodb-expert

16
from diegosouzapw/awesome-omni-skill

MongoDB document modeling, aggregation pipeline optimization, sharding strategies, replica set configuration, connection pool management, and indexing patterns. Use this skill for MongoDB-specific issues, NoSQL performance optimization, and schema design.

mobile_react_native

16
from diegosouzapw/awesome-omni-skill

React Native best practices, hooks, navigation ve performance optimization.

mobile-ui-development-rule

16
from diegosouzapw/awesome-omni-skill

General rules pertaining to Mobile UI development. Covers UI/UX best practices, state management, and navigation patterns.

mobile-security-coder

16
from diegosouzapw/awesome-omni-skill

Expert in secure mobile coding practices specializing in input validation, WebView security, and mobile-specific security patterns.

mobile-offline-support

16
from diegosouzapw/awesome-omni-skill

Implement offline-first mobile apps with local storage, sync strategies, and conflict resolution. Covers AsyncStorage, Realm, SQLite, and background sync patterns.

mobile-guide

16
from diegosouzapw/awesome-omni-skill

Comprehensive mobile development guide for iOS, Android, React Native, and Flutter. Includes Swift, Kotlin, and cross-platform frameworks. Use when building mobile applications, iOS, Android, or cross-platform apps.

mobile-games

16
from diegosouzapw/awesome-omni-skill

Mobile game development principles. Touch input, battery, performance, app stores.

mobile-frontend

16
from diegosouzapw/awesome-omni-skill

React Native patterns, NativeWind styling, React Native Reusables components, mobile-specific patterns

mobile-first-design-rules

16
from diegosouzapw/awesome-omni-skill

Focuses on rules and best practices for mobile-first design and responsive typography using tailwind.

mobile-development

16
from diegosouzapw/awesome-omni-skill

Cross-platform and native mobile development. Frameworks: React Native, Flutter, Swift/SwiftUI, Kotlin/Jetpack Compose. Capabilities: mobile UI, offline-first architecture, push notifications, deep linking, biometrics, app store deployment. Actions: build, create, implement, optimize, test, deploy mobile apps. Keywords: iOS, Android, React Native, Flutter, Swift, Kotlin, mobile app, offline sync, push notification, deep link, biometric auth, App Store, Play Store, iOS HIG, Material Design, battery optimization, memory management, mobile performance. Use when: building mobile apps, implementing mobile-first UX, choosing native vs cross-platform, optimizing battery/memory/network, deploying to app stores, handling mobile-specific features.

mobile-developer

16
from diegosouzapw/awesome-omni-skill

Develop React Native, Flutter, or native mobile apps with modern architecture patterns. Masters cross-platform development, native integrations, offline sync, and app store optimization. Use PROACTIVELY for mobile features, cross-platform code, or app optimization.