owasp-mobile-security-checker

# OWASP Mobile Security Checker

Comprehensive security analysis tool for Flutter and mobile applications based on the OWASP Mobile Top 10 (2024) guidelines.

## Overview

This skill enables thorough security auditing of Flutter mobile applications by identifying vulnerabilities across all ten OWASP Mobile Top 10 risk categories. It combines automated scanning scripts with manual analysis guidelines to provide comprehensive security assessments and actionable remediation plans.

## Core Capabilities

### 1. Automated Vulnerability Scanning

Run Python-based scanners to detect common security issues:

## M1 - Hardcoded Secrets Scanner**

```bash
python3 scripts/scan_hardcoded_secrets.py /path/to/project
```

Detects API keys, tokens, passwords, AWS credentials, Firebase keys, and other hardcoded secrets in Dart code and configuration files.

## M2 - Dependency Security Checker**

```bash
python3 scripts/check_dependencies.py /path/to/project
```

Analyzes `pubspec.yaml` for outdated packages, insecure version constraints (`any`), and known vulnerabilities.

## M5 - Network Security Validator**

```bash
python3 scripts/check_network_security.py /path/to/project
```

Checks for HTTP vs HTTPS usage, certificate pinning, Android Network Security Config, and iOS App Transport Security settings.

## M9 - Storage Security Analyzer**

```bash
python3 scripts/analyze_storage_security.py /path/to/project
```

Identifies unencrypted SharedPreferences usage, plaintext file storage, unencrypted databases, and insecure backup configurations.

### 2. Manual Security Analysis

For risks requiring code review and architectural assessment:

- **M3 (Authentication/Authorization)**: Evaluate token management, MFA, biometrics, and session handling
- **M4 (Input/Output Validation)**: Check input sanitization, parameterized queries, and injection prevention
- **M6 (Privacy Controls)**: Review permissions, PII handling, consent mechanisms, and data minimization
- **M7 (Binary Protections)**: Verify obfuscation, root detection, and anti-debugging measures
- **M8 (Security Misconfiguration)**: Inspect debug flags, logging, and platform configurations
- **M10 (Cryptography)**: Validate algorithm choices, key management, and encryption modes

### 3. Comprehensive Security Reports

Generate detailed reports with:

- Severity-based prioritization (CRITICAL → HIGH → MEDIUM → LOW)
- Flutter-specific code examples (insecure vs secure patterns)
- Actionable remediation steps with implementation guidance
- OWASP Mobile Top 10 risk categorization

## Workflow Decision Tree

**Start here to determine your approach:**

```text
Is this a comprehensive security audit?
├─ YES → Run all 4 automated scanners → Review results → Perform manual analysis → Generate report
└─ NO → Continue...

Is this for a specific OWASP risk category?
├─ M1 (Credentials) → Run scan_hardcoded_secrets.py → Review findings
├─ M2 (Dependencies) → Run check_dependencies.py → Update packages
├─ M5 (Network) → Run check_network_security.py → Implement certificate pinning
├─ M9 (Storage) → Run analyze_storage_security.py → Use encrypted storage
└─ Other (M3/M4/M6/M7/M8/M10) → Load reference docs → Perform manual analysis

Is this a quick security check before release?
└─ YES → Run all automated scanners → Focus on CRITICAL/HIGH findings → Fix blockers
```

## Quick Start: Comprehensive Audit

Perform a complete OWASP security audit:

1. **Run automated scans** (from project root):

   ```bash
   python3 .claude/skills/owasp-mobile-security-checker/scripts/scan_hardcoded_secrets.py .
   python3 .claude/skills/owasp-mobile-security-checker/scripts/check_dependencies.py .
   python3 .claude/skills/owasp-mobile-security-checker/scripts/analyze_storage_security.py .
   python3 .claude/skills/owasp-mobile-security-checker/scripts/check_network_security.py .
   ```

2. **Review JSON outputs**:
   - `owasp_m1_secrets_scan.json`
   - `owasp_m2_dependencies_scan.json`
   - `owasp_m5_network_scan.json`
   - `owasp_m9_storage_scan.json`

3. **Prioritize by severity**: Address CRITICAL and HIGH findings first

4. **Load reference documentation** for detailed information:

   ```text
   Read references/owasp_mobile_top_10_2024.md
   ```

5. **Perform manual analysis** for remaining risks (M3, M4, M6, M7, M8, M10)

6. **Generate remediation plan** with code examples and timeline

## Manual Analysis Guidelines

### M3: Authentication & Authorization

**What to check:**

- Token storage using `flutter_secure_storage` (not SharedPreferences)
- Token expiration and refresh mechanisms
- Multi-factor authentication implementation
- Server-side authorization enforcement

**Code patterns to find:**

```dart
// Search for: SharedPreferences + setString with 'token', 'auth', 'password'
// Flag: Plaintext credential storage

// Verify: FlutterSecureStorage usage for sensitive data
// Check: Token expiration logic exists
```

### M4: Input/Output Validation

**What to check:**

- Input validation on all user inputs (forms, URLs, file paths)
- Parameterized database queries (no string interpolation)
- Output encoding in WebViews
- API response validation

**Code patterns to find:**

```dart
// Search for: rawQuery, rawInsert with string interpolation ($)
// Flag: SQL injection vulnerability

// Search for: WebView without proper sanitization
// Flag: XSS vulnerability
```

### M6: Privacy Controls

**What to check:**

- Minimal permission requests (only necessary)
- No PII in analytics events or logs
- Consent mechanisms for data collection
- Proper anonymization/pseudonymization

**Code patterns to find:**

```dart
// Search for: FirebaseAnalytics.logEvent with email, phone, name
// Flag: PII in analytics

// Search for: print(), log() with user data
// Flag: PII in logs
```

### M7: Binary Protections

**What to verify:**

```bash
# Check build commands use obfuscation:
flutter build apk --release --obfuscate --split-debug-info=./debug-info

# Search for root detection packages:
grep -r "flutter_jailbreak_detection" pubspec.yaml
grep -r "root_detector" pubspec.yaml

# Verify debug mode checks:
grep -r "kDebugMode" lib/
```

### M8: Security Misconfiguration

**What to check:**

- Debug flags disabled in production
- Logging levels appropriate for release
- Minimal platform permissions in manifests
- No development endpoints in production code

**Code patterns to find:**

```dart
// Flag: Debug code that executes in release builds
if (kDebugMode) { print("..."); } // This compiles in release!

// Preferred: assert(() { debugPrint("..."); return true; }());
```

### M10: Cryptography

**What to check:**

- Strong algorithms (AES-256 GCM, not MD5/SHA1)
- Secure key storage (Keystore/Keychain, not hardcoded)
- Proper encryption modes (GCM, not ECB)
- Cryptographically secure RNG (Random.secure())

**Code patterns to find:**

```dart
// Search for: md5, sha1, des (weak algorithms)
// Search for: AESMode.ecb (insecure mode)
// Search for: 'encryption_key', 'secret_key' (hardcoded keys)
```

## Understanding Scan Results

### Severity Levels

- **CRITICAL**: Immediate security risk requiring urgent action
  - Examples: Disabled certificate validation, exposed production credentials
  - Action: Fix immediately, do not release

- **HIGH**: Significant vulnerability requiring prompt remediation
  - Examples: Hardcoded API keys, unencrypted sensitive storage
  - Action: Fix before release

- **MEDIUM**: Security concern that should be addressed
  - Examples: Missing certificate pinning, outdated dependencies
  - Action: Plan remediation, fix in next sprint

- **LOW**: Best practice or minor improvement
  - Examples: Verbose logging, local networking allowed
  - Action: Address as time permits

### Common False Positives

Be aware of legitimate cases that may trigger findings:

- **M1**: Test/example API keys, environment placeholders (`YOUR_API_KEY`)
- **M5**: HTTP for localhost/127.0.0.1 during development
- **M9**: Non-sensitive data in SharedPreferences (user preferences)
- **M2**: Development dependencies (linters, test tools)

Always verify findings in context before flagging as vulnerabilities.

## Reference Documentation

The `references/owasp_mobile_top_10_2024.md` file provides:

- Detailed explanations of each OWASP Mobile Top 10 risk
- Real-world attack scenarios and examples
- Flutter-specific vulnerability patterns
- Complete mitigation strategies
- Secure vs insecure code examples
- Platform-specific considerations (Android/iOS)

**When to load this reference:**

- Need deep understanding of a specific risk category
- Creating detailed remediation documentation
- Explaining vulnerabilities to stakeholders
- Looking for Flutter-specific code patterns
- Researching platform-specific security configurations

## Example: Targeted Security Fix

**Scenario**: Found HIGH severity finding for hardcoded API key

1. **Locate the issue**:

   ```text
   File: lib/services/api_client.dart:15
   Issue: Hardcoded API key
   Code: const String apiKey = "sk_live_ABC123...";
   ```

2. **Understand the risk**: Load `references/owasp_mobile_top_10_2024.md` and review M1 section

3. **Implement fix**:

   ```dart
   // Before (INSECURE):
   const String apiKey = "sk_live_ABC123...";

   // After (SECURE):
   final secureStorage = FlutterSecureStorage();
   String? apiKey = await secureStorage.read(key: 'api_key');
   // Key injected at build time or fetched from secure backend
   ```

4. **Verify fix**: Re-run `scan_hardcoded_secrets.py` to confirm issue resolved

5. **Document**: Update security review with remediation details

## Best Practices

**For Development Teams:**

- Run automated scans in CI/CD pipeline on every PR
- Establish security gates (no CRITICAL findings in production)
- Conduct quarterly comprehensive security audits
- Maintain security backlog and track remediation

**For Security Auditors:**

- Combine automated scans with manual code review
- Test fixes to ensure they don't break functionality
- Document security exceptions with business justification
- Provide training on secure coding practices

**For All Users:**

- Keep scan scripts updated with latest patterns
- Share findings and recommendations with team
- Integrate security early in development cycle
- Treat OWASP compliance as ongoing, not one-time

## Integration Points

Recommended workflow integration:

- **Pre-commit**: Lightweight secret scanning
- **Pull Requests**: Automated scans with security report comment
- **Release Builds**: Comprehensive audit including manual analysis
- **Production**: Continuous monitoring and periodic reviews
- **Incident Response**: Targeted scans when vulnerabilities reported

## Additional Resources

This skill references authoritative sources:

- OWASP Mobile Top 10 Project (2024)
- Flutter Security Best Practices
- Android Security Guidelines (Keystore, Network Security Config)
- iOS Security Guide (Keychain, App Transport Security)
- Platform-specific documentation and security research