security
Security review and guidance for iOS, macOS, and watchOS apps. Covers secure storage, biometric authentication, network security, and platform-specific patterns. Use when implementing security features or reviewing code for vulnerabilities.
Best use case
security is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Security review and guidance for iOS, macOS, and watchOS apps. Covers secure storage, biometric authentication, network security, and platform-specific patterns. Use when implementing security features or reviewing code for vulnerabilities.
Teams using security should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/security/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How security Compares
| Feature / Agent | security | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Security review and guidance for iOS, macOS, and watchOS apps. Covers secure storage, biometric authentication, network security, and platform-specific patterns. Use when implementing security features or reviewing code for vulnerabilities.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
SKILL.md Source
# Security Review for Apple Platforms Comprehensive security guidance for iOS, macOS, and watchOS applications. Reviews code for vulnerabilities and provides secure implementation patterns. ## When This Skill Activates Use this skill when the user: - Asks for "security review" or "security audit" - Wants to implement "secure storage" or "Keychain" - Needs "Face ID", "Touch ID", or "biometric authentication" - Asks about "certificate pinning" or "network security" - Mentions "Data Protection" or "encryption" - Wants to store "sensitive data", "credentials", or "tokens" - Asks about "Secure Enclave" or hardware security ## Review Process ### Phase 1: Project Discovery Identify the app's security surface: ```bash # Find security-related code Grep: "SecItem|Keychain|kSecClass" Grep: "LAContext|biometryType|evaluatePolicy" Grep: "URLSession|ATS|NSAppTransportSecurity" Grep: "CryptoKit|SecKey|CC_SHA" ``` Determine: - Platform (iOS, macOS, watchOS, or multi-platform) - Sensitive data types (credentials, health data, financial, PII) - Authentication methods in use - Network communication patterns ### Phase 2: Secure Storage Review Load and apply: **secure-storage.md** Key areas: - Keychain usage patterns - Data Protection classes - Secure Enclave for keys - Avoiding insecure storage (UserDefaults, files) ### Phase 3: Authentication Review Load and apply: **biometric-auth.md** Key areas: - Face ID / Touch ID implementation - Fallback mechanisms - LAContext configuration - Keychain integration with biometrics ### Phase 4: Network Security Review Load and apply: **network-security.md** Key areas: - App Transport Security configuration - Certificate pinning - TLS best practices - Secure API communication ### Phase 5: Platform-Specific Review Load and apply: **platform-specifics.md** Key areas: - iOS: Data Protection, App Groups, Keychain sharing - macOS: Sandbox, Hardened Runtime, Keychain access - watchOS: Health data, Watch Connectivity security ## Output Format Present findings in this structure: ```markdown # Security Review: [App Name] **Platform**: iOS / macOS / watchOS / Universal **Review Date**: [Date] **Risk Level**: Critical / High / Medium / Low ## Summary | Category | Status | Issues | |----------|--------|--------| | Secure Storage | ✅/⚠️/❌ | X issues | | Authentication | ✅/⚠️/❌ | X issues | | Network Security | ✅/⚠️/❌ | X issues | | Platform Security | ✅/⚠️/❌ | X issues | --- ## 🔴 Critical Vulnerabilities Security issues that expose user data or enable attacks. ### [Issue Title] **File**: `path/to/file.swift:123` **Risk**: [What could happen if exploited] **OWASP Category**: [If applicable] **Vulnerable Code**: ```swift // current insecure code ``` **Secure Implementation**: ```swift // fixed secure code ``` --- ## 🟠 High Priority Issues Issues that weaken security posture. [Same format as above] --- ## 🟡 Medium Priority Issues Issues that should be addressed for defense in depth. [Same format as above] --- ## 🟢 Recommendations Security hardening suggestions. [Same format as above] --- ## ✅ Security Strengths What the app does well: - [Strength 1] - [Strength 2] --- ## Action Plan 1. **[Critical]** [First fix] 2. **[Critical]** [Second fix] 3. **[High]** [Third fix] ... ``` ## Priority Classification ### 🔴 Critical - Credentials stored in plain text or UserDefaults - Disabled SSL/TLS validation - Hardcoded secrets or API keys - SQL injection or code injection vulnerabilities - Missing authentication on sensitive operations ### 🟠 High - Keychain without appropriate access controls - Missing biometric authentication for sensitive data - Weak cryptographic implementations - Overly permissive entitlements - Sensitive data in logs ### 🟡 Medium - Missing certificate pinning - Biometric fallback too permissive - Data Protection class could be stronger - Missing jailbreak/integrity detection ### 🟢 Low/Recommendations - Additional hardening measures - Defense in depth improvements - Code organization for security clarity ## Quick Checks ### Insecure Storage Detection ```bash Grep: "UserDefaults.*password|UserDefaults.*token|UserDefaults.*secret|UserDefaults.*apiKey" Grep: "\.write\(.*credential|\.write\(.*password" Grep: "let.*apiKey.*=.*\"|let.*secret.*=.*\"" ``` ### Insecure Network Detection ```bash Grep: "http://(?!localhost|127\.0\.0\.1)" Grep: "AllowsArbitraryLoads.*true" Grep: "serverTrust|URLAuthenticationChallenge.*useCredential" ``` ### Sensitive Data in Logs ```bash Grep: "print\(.*password|print\(.*token|NSLog.*credential" Grep: "Logger.*password|os_log.*secret" ``` ## References - **secure-storage.md** - Keychain, Data Protection, Secure Enclave - **biometric-auth.md** - Face ID, Touch ID, LAContext - **network-security.md** - ATS, certificate pinning, TLS - **platform-specifics.md** - iOS vs macOS vs watchOS ## External Resources - [Apple Security Documentation](https://developer.apple.com/documentation/security) - [OWASP Mobile Security](https://owasp.org/www-project-mobile-security/) - [Apple Keychain Services](https://developer.apple.com/documentation/security/keychain_services) - [App Transport Security](https://developer.apple.com/documentation/bundleresources/information_property_list/nsapptransportsecurity)
Related Skills
watchOS
watchOS development guidance including SwiftUI for Watch, Watch Connectivity, complications, and watch-specific UI patterns. Use for watchOS code review, best practices, or Watch app development.
visionos-widgets
visionOS widget patterns including mounting styles, glass/paper textures, proximity-aware layouts, and spatial widget families. Use when creating or adapting widgets for visionOS.
test-data-factory
Generate test fixture factories for your models. Builder pattern and static factories for zero-boilerplate test data. Use when tests need sample data setup.
test-contract
Generate protocol/interface test suites that any implementation must pass. Define the contract once, test every implementation. Use when designing protocols or swapping implementations.
tdd-refactor-guard
Pre-refactor safety checklist. Verifies test coverage exists before AI modifies existing code. Use before asking AI to refactor anything.
tdd-feature
Red-green-refactor scaffold for building new features with TDD. Write failing tests first, then implement to pass. Use when building new features test-first.
tdd-bug-fix
Fix bugs using red-green-refactor — reproduce the bug as a failing test first, then fix it. Use when fixing bugs to ensure they never regress.
snapshot-test-setup
Set up SwiftUI visual regression testing with swift-snapshot-testing. Generates snapshot test boilerplate and CI configuration. Use for UI regression prevention.
integration-test-scaffold
Generate cross-module test harness with mock servers, in-memory stores, and test configuration. Use when testing networking + persistence + business logic together.
characterization-test-generator
Generates tests that capture current behavior of existing code before refactoring. Use when you need a safety net before AI-assisted refactoring or modifying legacy code.
testing
TDD and testing skills for iOS/macOS apps. Covers characterization tests, TDD workflows, test contracts, snapshot tests, and test infrastructure. Use for test-driven development, adding tests to existing code, or building test infrastructure.
webkit-integration
WebKit integration in SwiftUI using WebView and WebPage for embedding web content, navigation, JavaScript interop, and customization. Use when embedding web content in SwiftUI apps.