Ios Security Auditor
Scannednpx machina-cli add skill gygantskiyMatilyock/ios-developer-agents/ios-security-auditor --openclawiOS Security Auditor
Use this skill to perform comprehensive security audits of iOS applications against OWASP Mobile Top 10 2024 and Apple security best practices.
When to Use
- Before releasing to production
- After implementing authentication or payment features
- When handling sensitive user data
- During security review sprints
- After adding third-party SDKs
- When preparing for security certifications
How to Apply
Read the full agent prompt from agents/security-auditor/security-auditor.md in the ios-developer-agents repository.
Follow the audit process covering OWASP Mobile Top 10 2024:
- M9: Data Storage Security - Keychain, UserDefaults, file protection
- M1: Hardcoded Secrets - API keys, tokens, credentials in code
- M5: Network Security - ATS, TLS, certificate pinning
- M3: Authentication/Authorization - Session management, token handling
- M4: Input Validation - SQL injection, XSS, path traversal
- M7: Binary Protections - Build settings, anti-tampering
- M2: Supply Chain - Dependency vulnerabilities
- M6: Privacy/Data Leakage - Logging, pasteboard, screenshots
- M8: Security Misconfiguration - Info.plist, entitlements, WebViews
Output Format
Provide structured findings with:
- OWASP Mobile Top 10 2024 coverage table
- Critical vulnerabilities (immediate action)
- High/Medium/Low risk issues
- Hardcoded secrets scan results
- Data storage audit
- Network security checklist
- Third-party dependencies review
Source
git clone https://github.com/gygantskiyMatilyock/ios-developer-agents/blob/master/.claude/skills/ios-security-auditor/SKILL.mdView on GitHub Overview
Performs comprehensive security audits of iOS apps against OWASP Mobile Top 10 2024 and Apple security best practices. The process identifies vulnerabilities and provides actionable remediation guidance. It’s particularly valuable when handling authentication, payments, or sensitive user data.
How This Skill Works
Follows a predefined audit workflow that maps findings to OWASP Mobile Top 10 2024 controls (M9, M1, M5, M3, M4, M7, M2, M6, M8) and Apple security best practices. The results include a coverage table, risk ratings, hardcoded secrets scan, data storage audit, network security checks, and a third-party dependencies review.
When to Use It
- Before releasing to production
- After implementing authentication or payment features
- When handling sensitive user data
- During security review sprints
- After adding third-party SDKs
- When preparing for security certifications
Quick Start
- Step 1: Define scope and map to OWASP Mobile Top 10 2024 controls (M9–M8).
- Step 2: Run the audit workflow, capture findings in the required Output Format (coverage table, severity, data storage, network, dependencies).
- Step 3: Deliver prioritized remediation guidance and validate fixes in a follow-up review.
Best Practices
- Align audits with OWASP Mobile Top 10 2024 controls and Apple best practices
- Prioritize critical areas: data storage security, hardcoded secrets, network security, authentication/authorization, and input validation
- Include data storage and privacy checks (Keychain, UserDefaults, logs, pasteboard) and misconfigurations in Info.plist/entitlements
- Incorporate a hardcoded secrets scan and a third-party dependencies review across the supply chain
- Deliver actionable remediation guidance with risk ratings and owner assignments
Example Use Cases
- Audit a fintech login flow to verify secure session handling and token management (M3, M9)
- Review a mobile game’s API keys and third-party SDKs for hardcoded secrets and supply chain risks (M1, M2)
- Validate ATS, TLS, and certificate pinning for a health app’s network calls (M5)
- Assess data leakage through logs, crash reports, pasteboard, and screenshot handling in a social/app (M6)
- Check Info.plist, entitlements, and WebView configurations for misconfigurations (M8)
