brdohman/security

Security Review for Apple Platforms

Comprehensive security guidance for iOS, macOS, and watchOS applications. Reviews code for vulnerabilities and provides secure implementation patterns.

When This Skill Activates

Use this skill when the user:

• Asks for "security review" or "security audit"
• Wants to implement "secure storage" or "Keychain"
• Needs "Face ID", "Touch ID", or "biometric authentication"
• Asks about "certificate pinning" or "network security"
• Mentions "Data Protection" or "encryption"
• Wants to store "sensitive data", "credentials", or "tokens"
• Asks about "Secure Enclave" or hardware security

Review Process

Phase 1: Project Discovery

Identify the app's security surface:

# Find security-related code
Grep: "SecItem|Keychain|kSecClass"
Grep: "LAContext|biometryType|evaluatePolicy"
Grep: "URLSession|ATS|NSAppTransportSecurity"
Grep: "CryptoKit|SecKey|CC_SHA"

Determine:

• Platform (iOS, macOS, watchOS, or multi-platform)
• Sensitive data types (credentials, health data, financial, PII)
• Authentication methods in use
• Network communication patterns

Phase 2: Secure Storage Review

Load and apply: secure-storage.md

Key areas:

• Keychain usage patterns
• Data Protection classes
• Secure Enclave for keys
• Avoiding insecure storage (UserDefaults, files)

Phase 3: Authentication Review

Load and apply: biometric-auth.md

Key areas:

• Face ID / Touch ID implementation
• Fallback mechanisms
• LAContext configuration
• Keychain integration with biometrics

Phase 4: Network Security Review

Load and apply: network-security.md

Key areas:

• App Transport Security configuration
• Certificate pinning
• TLS best practices
• Secure API communication

Phase 5: Platform-Specific Review

Load and apply: platform-specifics.md

Key areas:

• iOS: Data Protection, App Groups, Keychain sharing
• macOS: Sandbox, Hardened Runtime, Keychain access
• watchOS: Health data, Watch Connectivity security

Output Format

Present findings in this structure:

# Security Review: [App Name]

**Platform**: iOS / macOS / watchOS / Universal
**Review Date**: [Date]
**Risk Level**: Critical / High / Medium / Low

## Summary

| Category | Status | Issues |
|----------|--------|--------|
| Secure Storage | ✅/⚠️/❌ | X issues |
| Authentication | ✅/⚠️/❌ | X issues |
| Network Security | ✅/⚠️/❌ | X issues |
| Platform Security | ✅/⚠️/❌ | X issues |

---

## 🔴 Critical Vulnerabilities

Security issues that expose user data or enable attacks.

### [Issue Title]

**File**: `path/to/file.swift:123`
**Risk**: [What could happen if exploited]
**OWASP Category**: [If applicable]

**Vulnerable Code**:
```swift
// current insecure code

Secure Implementation:

// fixed secure code

---

🟠 High Priority Issues

Issues that weaken security posture.

[Same format as above]

---

🟡 Medium Priority Issues

Issues that should be addressed for defense in depth.

[Same format as above]

---

🟢 Recommendations

Security hardening suggestions.

[Same format as above]

---

✅ Security Strengths

What the app does well:

• [Strength 1]
• [Strength 2]

---

Action Plan

1. [Critical] [First fix]
2. [Critical] [Second fix]
3. [High] [Third fix] ...

## Priority Classification

### 🔴 Critical
- Credentials stored in plain text or UserDefaults
- Disabled SSL/TLS validation
- Hardcoded secrets or API keys
- SQL injection or code injection vulnerabilities
- Missing authentication on sensitive operations

### 🟠 High
- Keychain without appropriate access controls
- Missing biometric authentication for sensitive data
- Weak cryptographic implementations
- Overly permissive entitlements
- Sensitive data in logs

### 🟡 Medium
- Missing certificate pinning
- Biometric fallback too permissive
- Data Protection class could be stronger
- Missing jailbreak/integrity detection

### 🟢 Low/Recommendations
- Additional hardening measures
- Defense in depth improvements
- Code organization for security clarity

## Quick Checks

### Insecure Storage Detection
```bash
Grep: "UserDefaults.*password|UserDefaults.*token|UserDefaults.*secret|UserDefaults.*apiKey"
Grep: "\.write\(.*credential|\.write\(.*password"
Grep: "let.*apiKey.*=.*\"|let.*secret.*=.*\""

Insecure Network Detection

Grep: "http://(?!localhost|127\.0\.0\.1)"
Grep: "AllowsArbitraryLoads.*true"
Grep: "serverTrust|URLAuthenticationChallenge.*useCredential"

Sensitive Data in Logs

Grep: "print\(.*password|print\(.*token|NSLog.*credential"
Grep: "Logger.*password|os_log.*secret"

References

• secure-storage.md - Keychain, Data Protection, Secure Enclave
• biometric-auth.md - Face ID, Touch ID, LAContext
• network-security.md - ATS, certificate pinning, TLS
• platform-specifics.md - iOS vs macOS vs watchOS

Threat Modeling (SEC-4)

Use STRIDE to systematically identify threats:

| Category | Question | macOS Example | |----------|----------|---------------| | Spoofing | Can an attacker impersonate a legitimate entity? | Fake Keychain prompt, spoofed API response | | Tampering | Can data be modified in transit or at rest? | Unvalidated file imports, unprotected UserDefaults | | Repudiation | Can actions be denied after the fact? | No audit logging for destructive operations | | Information Disclosure | Can data leak to unauthorized parties? | Sensitive data in logs, crash reports with PII | | Denial of Service | Can the app be made unavailable? | Unbounded data import, infinite retry loops | | Elevation of Privilege | Can access be escalated? | Entitlements broader than needed, unsandboxed execution |

For each feature under review, walk through all 6 STRIDE categories and document findings.

Security Testing Techniques (SEC-5)

Input Fuzzing

Test boundary inputs on all user-facing fields:

• Empty strings, very long strings (>10K chars), Unicode/emoji, null bytes
• Negative numbers, zero, MAX_INT for numeric fields
• Path traversal attempts (../../etc/passwd) for file paths
• SQL injection patterns for search fields (even with Core Data)

Verifying Security Fixes

After fixing a security issue:

1. Write a test that would have caught the vulnerability
2. Verify the test fails against the vulnerable code (mentally)
3. Apply the fix
4. Verify the test passes
5. Add the test to the regression suite permanently

Manual Verification Checklist

# Check for hardcoded secrets
grep -rn "let.*key.*=.*\"" --include="*.swift" | grep -iv "test\|mock\|sample"

# Check for UserDefaults storing sensitive data
grep -rn "UserDefaults.*password\|UserDefaults.*token\|UserDefaults.*secret" --include="*.swift"

# Check for disabled certificate validation
grep -rn "serverTrust\|URLAuthenticationChallenge.*useCredential" --include="*.swift"

External Resources

• Apple Security Documentation
• OWASP Mobile Security
• Apple Keychain Services
• App Transport Security