mobile-security
// Mobile application security skill for implementing OWASP MASVS compliance, secure storage, certificate pinning, biometric authentication, and security hardening across iOS and Android platforms.
$ git log --oneline --stat
stars:384
forks:73
updated:March 4, 2026
SKILL.mdreadonly
SKILL.md Frontmatter
namemobile-security
descriptionMobile application security skill for implementing OWASP MASVS compliance, secure storage, certificate pinning, biometric authentication, and security hardening across iOS and Android platforms.
allowed-toolsRead, Grep, Write, Bash, Edit, Glob, WebFetch
Mobile Security Skill
Comprehensive mobile application security implementation for iOS and Android platforms, covering OWASP Mobile Security guidelines, secure storage, authentication, and security hardening.
Overview
This skill provides capabilities for implementing mobile security best practices, including secure data storage, network security, authentication mechanisms, and compliance with OWASP Mobile Application Security Verification Standard (MASVS).
Capabilities
Secure Storage Implementation
- Configure iOS Keychain Services for sensitive data
- Set up Android Keystore for cryptographic operations
- Implement encrypted SharedPreferences/UserDefaults
- Manage secure key generation and storage
- Handle secure credential management
Certificate Pinning
- Implement TrustKit for iOS certificate pinning
- Configure OkHttp CertificatePinner for Android
- Set up Network Security Config (Android)
- Configure App Transport Security (iOS)
- Validate and rotate pinned certificates
Biometric Authentication
- Implement Face ID and Touch ID for iOS
- Configure Fingerprint/BiometricPrompt for Android
- Handle fallback authentication mechanisms
- Manage biometric enrollment states
- Secure biometric-protected keychain/keystore items
Security Hardening
- Implement jailbreak/root detection
- Configure code obfuscation (ProGuard/R8, Swiftshield)
- Set up anti-tampering mechanisms
- Implement runtime integrity checks
- Configure secure debugging settings
OWASP MASVS Compliance
- Audit against MASVS Level 1 and Level 2
- Generate compliance checklists
- Identify security vulnerabilities
- Recommend remediation strategies
- Document security controls
Prerequisites
iOS Development
# TrustKit for certificate pinning
pod 'TrustKit'
# Keychain wrapper
pod 'KeychainAccess'
Android Development
// build.gradle
dependencies {
implementation 'androidx.security:security-crypto:1.1.0-alpha06'
implementation 'androidx.biometric:biometric:1.1.0'
}
Security Tools
# OWASP Mobile Security Testing Guide tools
pip install objection
brew install frida-tools
Usage Patterns
iOS Keychain Storage
import Security
class KeychainManager {
static func save(key: String, data: Data) -> Bool {
let query: [String: Any] = [
kSecClass as String: kSecClassGenericPassword,
kSecAttrAccount as String: key,
kSecValueData as String: data,
kSecAttrAccessible as String: kSecAttrAccessibleWhenUnlockedThisDeviceOnly
]
SecItemDelete(query as CFDictionary)
let status = SecItemAdd(query as CFDictionary, nil)
return status == errSecSuccess
}
static func load(key: String) -> Data? {
let query: [String: Any] = [
kSecClass as String: kSecClassGenericPassword,
kSecAttrAccount as String: key,
kSecReturnData as String: true,
kSecMatchLimit as String: kSecMatchLimitOne
]
var result: AnyObject?
let status = SecItemCopyMatching(query as CFDictionary, &result)
return status == errSecSuccess ? result as? Data : nil
}
}
Android EncryptedSharedPreferences
import androidx.security.crypto.EncryptedSharedPreferences
import androidx.security.crypto.MasterKey
class SecureStorage(context: Context) {
private val masterKey = MasterKey.Builder(context)
.setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
.build()
private val sharedPreferences = EncryptedSharedPreferences.create(
context,
"secure_prefs",
masterKey,
EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM
)
fun saveToken(token: String) {
sharedPreferences.edit().putString("auth_token", token).apply()
}
fun getToken(): String? {
return sharedPreferences.getString("auth_token", null)
}
}
Certificate Pinning (iOS - TrustKit)
import TrustKit
class NetworkSecurityManager {
static func configurePinning() {
let trustKitConfig: [String: Any] = [
kTSKSwizzleNetworkDelegates: false,
kTSKPinnedDomains: [
"api.example.com": [
kTSKEnforcePinning: true,
kTSKIncludeSubdomains: true,
kTSKExpirationDate: "2027-01-01",
kTSKPublicKeyHashes: [
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB="
]
]
]
]
TrustKit.initSharedInstance(withConfiguration: trustKitConfig)
}
}
Certificate Pinning (Android - OkHttp)
import okhttp3.CertificatePinner
import okhttp3.OkHttpClient
val certificatePinner = CertificatePinner.Builder()
.add("api.example.com", "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=")
.add("api.example.com", "sha256/BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=")
.build()
val client = OkHttpClient.Builder()
.certificatePinner(certificatePinner)
.build()
Biometric Authentication (iOS)
import LocalAuthentication
class BiometricAuth {
func authenticate(completion: @escaping (Bool, Error?) -> Void) {
let context = LAContext()
var error: NSError?
if context.canEvaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, error: &error) {
context.evaluatePolicy(
.deviceOwnerAuthenticationWithBiometrics,
localizedReason: "Authenticate to access secure data"
) { success, error in
DispatchQueue.main.async {
completion(success, error)
}
}
} else {
completion(false, error)
}
}
}
Biometric Authentication (Android)
import androidx.biometric.BiometricPrompt
import androidx.fragment.app.FragmentActivity
class BiometricAuth(private val activity: FragmentActivity) {
fun authenticate(onSuccess: () -> Unit, onError: (String) -> Unit) {
val executor = ContextCompat.getMainExecutor(activity)
val biometricPrompt = BiometricPrompt(activity, executor,
object : BiometricPrompt.AuthenticationCallback() {
override fun onAuthenticationSucceeded(result: BiometricPrompt.AuthenticationResult) {
onSuccess()
}
override fun onAuthenticationError(errorCode: Int, errString: CharSequence) {
onError(errString.toString())
}
})
val promptInfo = BiometricPrompt.PromptInfo.Builder()
.setTitle("Biometric Authentication")
.setSubtitle("Authenticate to access secure data")
.setNegativeButtonText("Cancel")
.build()
biometricPrompt.authenticate(promptInfo)
}
}
Integration with Babysitter SDK
Task Definition Example
const mobileSecurityTask = defineTask({
name: 'mobile-security-implementation',
description: 'Implement mobile security controls',
inputs: {
platform: { type: 'string', required: true, enum: ['ios', 'android', 'both'] },
securityLevel: { type: 'string', required: true, enum: ['L1', 'L2'] },
features: { type: 'array', items: { type: 'string' } },
projectPath: { type: 'string', required: true }
},
outputs: {
implementedControls: { type: 'array' },
complianceReport: { type: 'object' },
securityAuditPath: { type: 'string' }
},
async run(inputs, taskCtx) {
return {
kind: 'skill',
title: `Implement ${inputs.securityLevel} security for ${inputs.platform}`,
skill: {
name: 'mobile-security',
context: {
operation: 'implement_security',
platform: inputs.platform,
securityLevel: inputs.securityLevel,
features: inputs.features,
projectPath: inputs.projectPath
}
},
io: {
inputJsonPath: `tasks/${taskCtx.effectId}/input.json`,
outputJsonPath: `tasks/${taskCtx.effectId}/result.json`
}
};
}
});
MCP Server Integration
Using owasp-mobile-security-checker
{
"mcpServers": {
"owasp-mobile": {
"command": "npx",
"args": ["owasp-mobile-security-checker"],
"env": {
"PROJECT_PATH": "/path/to/mobile/project"
}
}
}
}
Available MCP Tools
owasp_scan_ios- Scan iOS project for OWASP vulnerabilitiesowasp_scan_android- Scan Android project for OWASP vulnerabilitiescheck_keychain_usage- Validate iOS Keychain implementationcheck_keystore_usage- Validate Android Keystore implementationvalidate_certificate_pinning- Check certificate pinning configurationaudit_biometric_auth- Audit biometric authentication implementation
OWASP MASVS Checklist
Storage (MASVS-STORAGE)
- Sensitive data not stored in plaintext
- Sensitive data not in app logs
- Sensitive data not shared with third parties
- Keyboard cache disabled for sensitive inputs
- Clipboard disabled for sensitive data
- Sensitive data excluded from backups
Cryptography (MASVS-CRYPTO)
- Strong cryptographic algorithms used
- Cryptographic keys properly managed
- Random number generation secure
- No deprecated crypto functions
Authentication (MASVS-AUTH)
- Biometric authentication properly implemented
- Session management secure
- Password policies enforced
- Multi-factor authentication available
Network (MASVS-NETWORK)
- TLS used for all connections
- Certificate pinning implemented
- Certificate validation not bypassed
- ATS/Network Security Config properly configured
Platform (MASVS-PLATFORM)
- WebView properly configured
- Deep links validated
- IPC mechanisms secured
- Screenshots prevented for sensitive screens
Code Quality (MASVS-CODE)
- Code obfuscation enabled
- Debugging disabled in release
- Root/jailbreak detection implemented
- Anti-tampering measures in place
Best Practices
- Defense in Depth: Layer multiple security controls
- Secure by Default: Default to most secure configuration
- Least Privilege: Request only necessary permissions
- Data Minimization: Store only essential sensitive data
- Regular Audits: Continuously assess security posture
- Key Rotation: Implement certificate and key rotation plans