a5c-ai/mobile-security
library/specializations/mobile-development/skills/mobile-security/SKILL.md
Mobile application security skill for implementing OWASP MASVS compliance, secure storage, certificate pinning, biometric authentication, and security hardening across iOS and Android platforms.
$ install --global
skillsauthnpx skillsauth add a5c-ai/babysitter mobile-securityInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 2, 2026, 12:44 PM57.6s2 files scanned
SKILL.md
- name:
- mobile-security
- description:
- Mobile application security skill for implementing OWASP MASVS compliance, secure storage, certificate pinning, biometric authentication, and security hardening across iOS and Android platforms.
- allowed-tools:
- Read, Grep, Write, Bash, Edit, Glob, WebFetch
Mobile Security Skill
Comprehensive mobile application security implementation for iOS and Android platforms, covering OWASP Mobile Security guidelines, secure storage, authentication, and security hardening.
Overview
This skill provides capabilities for implementing mobile security best practices, including secure data storage, network security, authentication mechanisms, and compliance with OWASP Mobile Application Security Verification Standard (MASVS).
Capabilities
Secure Storage Implementation
- Configure iOS Keychain Services for sensitive data
- Set up Android Keystore for cryptographic operations
- Implement encrypted SharedPreferences/UserDefaults
- Manage secure key generation and storage
- Handle secure credential management
Certificate Pinning
- Implement TrustKit for iOS certificate pinning
- Configure OkHttp CertificatePinner for Android
- Set up Network Security Config (Android)
- Configure App Transport Security (iOS)
- Validate and rotate pinned certificates
Biometric Authentication
- Implement Face ID and Touch ID for iOS
- Configure Fingerprint/BiometricPrompt for Android
- Handle fallback authentication mechanisms
- Manage biometric enrollment states
- Secure biometric-protected keychain/keystore items
Security Hardening
- Implement jailbreak/root detection
- Configure code obfuscation (ProGuard/R8, Swiftshield)
- Set up anti-tampering mechanisms
- Implement runtime integrity checks
- Configure secure debugging settings
OWASP MASVS Compliance
- Audit against MASVS Level 1 and Level 2
- Generate compliance checklists
- Identify security vulnerabilities
- Recommend remediation strategies
- Document security controls
Prerequisites
iOS Development
# TrustKit for certificate pinning
pod 'TrustKit'
# Keychain wrapper
pod 'KeychainAccess'
Android Development
// build.gradle
dependencies {
implementation 'androidx.security:security-crypto:1.1.0-alpha06'
implementation 'androidx.biometric:biometric:1.1.0'
}
Security Tools
# OWASP Mobile Security Testing Guide tools
pip install objection
brew install frida-tools
Usage Patterns
iOS Keychain Storage
import Security
class KeychainManager {
static func save(key: String, data: Data) -> Bool {
let query: [String: Any] = [
kSecClass as String: kSecClassGenericPassword,
kSecAttrAccount as String: key,
kSecValueData as String: data,
kSecAttrAccessible as String: kSecAttrAccessibleWhenUnlockedThisDeviceOnly
]
SecItemDelete(query as CFDictionary)
let status = SecItemAdd(query as CFDictionary, nil)
return status == errSecSuccess
}
static func load(key: String) -> Data? {
let query: [String: Any] = [
kSecClass as String: kSecClassGenericPassword,
kSecAttrAccount as String: key,
kSecReturnData as String: true,
kSecMatchLimit as String: kSecMatchLimitOne
]
var result: AnyObject?
let status = SecItemCopyMatching(query as CFDictionary, &result)
return status == errSecSuccess ? result as? Data : nil
}
}
Android EncryptedSharedPreferences
import androidx.security.crypto.EncryptedSharedPreferences
import androidx.security.crypto.MasterKey
class SecureStorage(context: Context) {
private val masterKey = MasterKey.Builder(context)
.setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
.build()
private val sharedPreferences = EncryptedSharedPreferences.create(
context,
"secure_prefs",
masterKey,
EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM
)
fun saveToken(token: String) {
sharedPreferences.edit().putString("auth_token", token).apply()
}
fun getToken(): String? {
return sharedPreferences.getString("auth_token", null)
}
}
Certificate Pinning (iOS - TrustKit)
import TrustKit
class NetworkSecurityManager {
static func configurePinning() {
let trustKitConfig: [String: Any] = [
kTSKSwizzleNetworkDelegates: false,
kTSKPinnedDomains: [
"api.example.com": [
kTSKEnforcePinning: true,
kTSKIncludeSubdomains: true,
kTSKExpirationDate: "2027-01-01",
kTSKPublicKeyHashes: [
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB="
]
]
]
]
TrustKit.initSharedInstance(withConfiguration: trustKitConfig)
}
}
Certificate Pinning (Android - OkHttp)
import okhttp3.CertificatePinner
import okhttp3.OkHttpClient
val certificatePinner = CertificatePinner.Builder()
.add("api.example.com", "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=")
.add("api.example.com", "sha256/BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=")
.build()
val client = OkHttpClient.Builder()
.certificatePinner(certificatePinner)
.build()
Biometric Authentication (iOS)
import LocalAuthentication
class BiometricAuth {
func authenticate(completion: @escaping (Bool, Error?) -> Void) {
let context = LAContext()
var error: NSError?
if context.canEvaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, error: &error) {
context.evaluatePolicy(
.deviceOwnerAuthenticationWithBiometrics,
localizedReason: "Authenticate to access secure data"
) { success, error in
DispatchQueue.main.async {
completion(success, error)
}
}
} else {
completion(false, error)
}
}
}
Biometric Authentication (Android)
import androidx.biometric.BiometricPrompt
import androidx.fragment.app.FragmentActivity
class BiometricAuth(private val activity: FragmentActivity) {
fun authenticate(onSuccess: () -> Unit, onError: (String) -> Unit) {
val executor = ContextCompat.getMainExecutor(activity)
val biometricPrompt = BiometricPrompt(activity, executor,
object : BiometricPrompt.AuthenticationCallback() {
override fun onAuthenticationSucceeded(result: BiometricPrompt.AuthenticationResult) {
onSuccess()
}
override fun onAuthenticationError(errorCode: Int, errString: CharSequence) {
onError(errString.toString())
}
})
val promptInfo = BiometricPrompt.PromptInfo.Builder()
.setTitle("Biometric Authentication")
.setSubtitle("Authenticate to access secure data")
.setNegativeButtonText("Cancel")
.build()
biometricPrompt.authenticate(promptInfo)
}
}
Integration with Babysitter SDK
Task Definition Example
const mobileSecurityTask = defineTask({
name: 'mobile-security-implementation',
description: 'Implement mobile security controls',
inputs: {
platform: { type: 'string', required: true, enum: ['ios', 'android', 'both'] },
securityLevel: { type: 'string', required: true, enum: ['L1', 'L2'] },
features: { type: 'array', items: { type: 'string' } },
projectPath: { type: 'string', required: true }
},
outputs: {
implementedControls: { type: 'array' },
complianceReport: { type: 'object' },
securityAuditPath: { type: 'string' }
},
async run(inputs, taskCtx) {
return {
kind: 'skill',
title: `Implement ${inputs.securityLevel} security for ${inputs.platform}`,
skill: {
name: 'mobile-security',
context: {
operation: 'implement_security',
platform: inputs.platform,
securityLevel: inputs.securityLevel,
features: inputs.features,
projectPath: inputs.projectPath
}
},
io: {
inputJsonPath: `tasks/${taskCtx.effectId}/input.json`,
outputJsonPath: `tasks/${taskCtx.effectId}/result.json`
}
};
}
});
MCP Server Integration
Using owasp-mobile-security-checker
{
"mcpServers": {
"owasp-mobile": {
"command": "npx",
"args": ["owasp-mobile-security-checker"],
"env": {
"PROJECT_PATH": "/path/to/mobile/project"
}
}
}
}
Available MCP Tools
owasp_scan_ios- Scan iOS project for OWASP vulnerabilitiesowasp_scan_android- Scan Android project for OWASP vulnerabilitiescheck_keychain_usage- Validate iOS Keychain implementationcheck_keystore_usage- Validate Android Keystore implementationvalidate_certificate_pinning- Check certificate pinning configurationaudit_biometric_auth- Audit biometric authentication implementation
OWASP MASVS Checklist
Storage (MASVS-STORAGE)
- [ ] Sensitive data not stored in plaintext
- [ ] Sensitive data not in app logs
- [ ] Sensitive data not shared with third parties
- [ ] Keyboard cache disabled for sensitive inputs
- [ ] Clipboard disabled for sensitive data
- [ ] Sensitive data excluded from backups
Cryptography (MASVS-CRYPTO)
- [ ] Strong cryptographic algorithms used
- [ ] Cryptographic keys properly managed
- [ ] Random number generation secure
- [ ] No deprecated crypto functions
Authentication (MASVS-AUTH)
- [ ] Biometric authentication properly implemented
- [ ] Session management secure
- [ ] Password policies enforced
- [ ] Multi-factor authentication available
Network (MASVS-NETWORK)
- [ ] TLS used for all connections
- [ ] Certificate pinning implemented
- [ ] Certificate validation not bypassed
- [ ] ATS/Network Security Config properly configured
Platform (MASVS-PLATFORM)
- [ ] WebView properly configured
- [ ] Deep links validated
- [ ] IPC mechanisms secured
- [ ] Screenshots prevented for sensitive screens
Code Quality (MASVS-CODE)
- [ ] Code obfuscation enabled
- [ ] Debugging disabled in release
- [ ] Root/jailbreak detection implemented
- [ ] Anti-tampering measures in place
Best Practices
- Defense in Depth: Layer multiple security controls
- Secure by Default: Default to most secure configuration
- Least Privilege: Request only necessary permissions
- Data Minimization: Store only essential sensitive data
- Regular Audits: Continuously assess security posture
- Key Rotation: Implement certificate and key rotation plans
References
- OWASP Mobile Security Testing Guide
- OWASP MASVS
- Apple Security Documentation
- Android Security Best Practices
- TrustKit iOS
- owasp-mobile-security-checker
Related Skills
a5c-ai/model-card-generator
development
VerifiedTrustedCommunity
Model documentation skill for generating model cards following Google's model card framework.
680SKILL.mdUpdated Apr 28, 2026
a5c-ai/mlflow-experiment-tracker
development
VerifiedTrustedCommunity
MLflow integration skill for experiment tracking, model registry, and artifact management. Enables LLMs to log experiments, compare runs, manage model lifecycle, and retrieve artifacts through the MLflow API.
680SKILL.mdUpdated Apr 28, 2026
a5c-ai/lime-explainer
data-ai
VerifiedTrustedCommunity
LIME-based local explanation skill for individual predictions across tabular, text, and image data.
680SKILL.mdUpdated Apr 28, 2026
a5c-ai/kubeflow-pipeline-executor
devops
VerifiedTrustedCommunity
Kubeflow Pipelines skill for ML workflow orchestration, component management, and Kubernetes-native ML.
680SKILL.mdUpdated Apr 28, 2026