rshankras/security
skills/security/SKILL.md
Security review and guidance for iOS, macOS, and watchOS apps. Covers secure storage, biometric authentication, network security, and platform-specific patterns. Use when implementing security features or reviewing code for vulnerabilities.
$ install --global
skillsauthnpx skillsauth add rshankras/claude-code-apple-skills securityInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 11, 2026, 10:44 PM4.5s6 files scanned
SKILL.md
- name:
- security
- description:
- Security review and guidance for iOS, macOS, and watchOS apps. Covers secure storage, biometric authentication, network security, and platform-specific patterns. Use when implementing security features or reviewing code for vulnerabilities.
- allowed-tools:
- [Read, Glob, Grep]
Security Review for Apple Platforms
Comprehensive security guidance for iOS, macOS, and watchOS applications. Reviews code for vulnerabilities and provides secure implementation patterns.
When This Skill Activates
Use this skill when the user:
- Asks for "security review" or "security audit"
- Wants to implement "secure storage" or "Keychain"
- Needs "Face ID", "Touch ID", or "biometric authentication"
- Asks about "certificate pinning" or "network security"
- Mentions "Data Protection" or "encryption"
- Wants to store "sensitive data", "credentials", or "tokens"
- Asks about "Secure Enclave" or hardware security
Review Process
Phase 1: Project Discovery
Identify the app's security surface:
# Find security-related code
Grep: "SecItem|Keychain|kSecClass"
Grep: "LAContext|biometryType|evaluatePolicy"
Grep: "URLSession|ATS|NSAppTransportSecurity"
Grep: "CryptoKit|SecKey|CC_SHA"
Determine:
- Platform (iOS, macOS, watchOS, or multi-platform)
- Sensitive data types (credentials, health data, financial, PII)
- Authentication methods in use
- Network communication patterns
Phase 2: Secure Storage Review
Load and apply: secure-storage.md
Key areas:
- Keychain usage patterns
- Data Protection classes
- Secure Enclave for keys
- Avoiding insecure storage (UserDefaults, files)
Phase 3: Authentication Review
Load and apply: biometric-auth.md
Key areas:
- Face ID / Touch ID implementation
- Fallback mechanisms
- LAContext configuration
- Keychain integration with biometrics
Phase 4: Network Security Review
Load and apply: network-security.md
Key areas:
- App Transport Security configuration
- Certificate pinning
- TLS best practices
- Secure API communication
Phase 5: Platform-Specific Review
Load and apply: platform-specifics.md
Key areas:
- iOS: Data Protection, App Groups, Keychain sharing
- macOS: Sandbox, Hardened Runtime, Keychain access
- watchOS: Health data, Watch Connectivity security
Output Format
Present findings in this structure:
# Security Review: [App Name]
**Platform**: iOS / macOS / watchOS / Universal
**Review Date**: [Date]
**Risk Level**: Critical / High / Medium / Low
## Summary
| Category | Status | Issues |
|----------|--------|--------|
| Secure Storage | ✅/⚠️/❌ | X issues |
| Authentication | ✅/⚠️/❌ | X issues |
| Network Security | ✅/⚠️/❌ | X issues |
| Platform Security | ✅/⚠️/❌ | X issues |
---
## 🔴 Critical Vulnerabilities
Security issues that expose user data or enable attacks.
### [Issue Title]
**File**: `path/to/file.swift:123`
**Risk**: [What could happen if exploited]
**OWASP Category**: [If applicable]
**Vulnerable Code**:
```swift
// current insecure code
Secure Implementation:
// fixed secure code
🟠 High Priority Issues
Issues that weaken security posture.
[Same format as above]
🟡 Medium Priority Issues
Issues that should be addressed for defense in depth.
[Same format as above]
🟢 Recommendations
Security hardening suggestions.
[Same format as above]
✅ Security Strengths
What the app does well:
- [Strength 1]
- [Strength 2]
Action Plan
- [Critical] [First fix]
- [Critical] [Second fix]
- [High] [Third fix] ...
## Priority Classification
### 🔴 Critical
- Credentials stored in plain text or UserDefaults
- Disabled SSL/TLS validation
- Hardcoded secrets or API keys
- SQL injection or code injection vulnerabilities
- Missing authentication on sensitive operations
### 🟠 High
- Keychain without appropriate access controls
- Missing biometric authentication for sensitive data
- Weak cryptographic implementations
- Overly permissive entitlements
- Sensitive data in logs
### 🟡 Medium
- Missing certificate pinning
- Biometric fallback too permissive
- Data Protection class could be stronger
- Missing jailbreak/integrity detection
### 🟢 Low/Recommendations
- Additional hardening measures
- Defense in depth improvements
- Code organization for security clarity
## Quick Checks
### Insecure Storage Detection
```bash
Grep: "UserDefaults.*password|UserDefaults.*token|UserDefaults.*secret|UserDefaults.*apiKey"
Grep: "\.write\(.*credential|\.write\(.*password"
Grep: "let.*apiKey.*=.*\"|let.*secret.*=.*\""
Insecure Network Detection
Grep: "http://(?!localhost|127\.0\.0\.1)"
Grep: "AllowsArbitraryLoads.*true"
Grep: "serverTrust|URLAuthenticationChallenge.*useCredential"
Sensitive Data in Logs
Grep: "print\(.*password|print\(.*token|NSLog.*credential"
Grep: "Logger.*password|os_log.*secret"
References
- secure-storage.md - Keychain, Data Protection, Secure Enclave
- biometric-auth.md - Face ID, Touch ID, LAContext
- network-security.md - ATS, certificate pinning, TLS
- platform-specifics.md - iOS vs macOS vs watchOS
External Resources
- Apple Security Documentation
- OWASP Mobile Security
- Apple Keychain Services
- App Transport Security
Related Skills
rshankras/run-device
development
VerifiedTrustedCommunity
Build, install, and launch an iOS app on a physical iPhone or iPad entirely from the command line (no Xcode GUI), using xcodebuild + devicectl. Use when the user wants to run, test, or screenshot their app on a real device without opening Xcode.
385SKILL.mdUpdated Jun 4, 2026
rshankras/ios-development
development
VerifiedTrustedCommunity
Comprehensive iOS development guidance including Swift best practices, SwiftUI patterns, UI/UX review against HIG, and app planning. Use for iOS code review, best practices, accessibility audits, or planning new iOS apps.
385SKILL.mdUpdated Apr 11, 2026
rshankras/run-simulator
development
VerifiedTrustedCommunity
Build, install, launch, and screenshot an iOS app in the Simulator to verify a change visually. Use when the user wants to run the app, see a change live, screenshot the running app, or confirm a UI fix actually works (not just that it compiles).
381SKILL.mdUpdated Jun 3, 2026
rshankras/skill-auditor
development
VerifiedTrustedCommunity
Audits skills in this repo for consistency, API drift, and structural gaps. Produces a prioritized report grouped by severity (Critical/High/Medium/Low). Use when asked to "audit skills", "check the skill repo for drift", or when planning bulk skill cleanup. Read-only — does not apply fixes.
196SKILL.mdUpdated Apr 20, 2026