security

Use this skill when the user:

• Asks for "security review" or "security audit"
• Wants to implement "secure storage" or "Keychain"
• Needs "Face ID", "Touch ID", or "biometric authentication"
• Asks about "certificate pinning" or "network security"
• Mentions "Data Protection" or "encryption"
• Wants to store "sensitive data", "credentials", or "tokens"
• Asks about "Secure Enclave" or hardware security

Phase 1: Project Discovery

Identify the app's security surface:

```bash

# Find security-related code

Grep: "SecItem|Keychain|kSecClass"

Grep: "LAContext|biometryType|evaluatePolicy"

Grep: "URLSession|ATS|NSAppTransportSecurity"

Grep: "CryptoKit|SecKey|CC_SHA"

```

Determine:

• Platform (iOS, macOS, watchOS, or multi-platform)
• Sensitive data types (credentials, health data, financial, PII)
• Authentication methods in use
• Network communication patterns

Phase 2: Secure Storage Review

Load and apply: secure-storage.md

Key areas:

• Keychain usage patterns
• Data Protection classes
• Secure Enclave for keys
• Avoiding insecure storage (UserDefaults, files)

Phase 3: Authentication Review

Load and apply: biometric-auth.md

Key areas:

• Face ID / Touch ID implementation
• Fallback mechanisms
• LAContext configuration
• Keychain integration with biometrics

Phase 4: Network Security Review

Load and apply: network-security.md

Key areas:

• App Transport Security configuration
• Certificate pinning
• TLS best practices
• Secure API communication

Phase 5: Platform-Specific Review

Load and apply: platform-specifics.md

Key areas:

• iOS: Data Protection, App Groups, Keychain sharing
• macOS: Sandbox, Hardened Runtime, Keychain access
• watchOS: Health data, Watch Connectivity security

Present findings in this structure:

```markdown

# Security Review: [App Name]

Platform: iOS / macOS / watchOS / Universal

Review Date: [Date]

Risk Level: Critical / High / Medium / Low

| Category | Status | Issues |

|----------|--------|--------|

| Secure Storage | ✅/⚠️/❌ | X issues |

| Authentication | ✅/⚠️/❌ | X issues |

| Network Security | ✅/⚠️/❌ | X issues |

| Platform Security | ✅/⚠️/❌ | X issues |

---

Security issues that expose user data or enable attacks.

[Issue Title]

File: path/to/file.swift:123

Risk: [What could happen if exploited]

OWASP Category: [If applicable]

Vulnerable Code:

```swift

// current insecure code

```

Secure Implementation:

```swift

// fixed secure code

```

---

Issues that weaken security posture.

[Same format as above]

---

Issues that should be addressed for defense in depth.

[Same format as above]

---

Security hardening suggestions.

[Same format as above]

---

What the app does well:

• [Strength 1]
• [Strength 2]

---

1. [Critical] [First fix]
2. [Critical] [Second fix]
3. [High] [Third fix]

...

```

🔴 Critical

• Credentials stored in plain text or UserDefaults
• Disabled SSL/TLS validation
• Hardcoded secrets or API keys
• SQL injection or code injection vulnerabilities
• Missing authentication on sensitive operations

🟠 High

• Keychain without appropriate access controls
• Missing biometric authentication for sensitive data
• Weak cryptographic implementations
• Overly permissive entitlements
• Sensitive data in logs

🟡 Medium

• Missing certificate pinning
• Biometric fallback too permissive
• Data Protection class could be stronger
• Missing jailbreak/integrity detection

🟢 Low/Recommendations

• Additional hardening measures
• Defense in depth improvements
• Code organization for security clarity

Insecure Storage Detection

```bash

Grep: "UserDefaults.password|UserDefaults.token|UserDefaults.secret|UserDefaults.apiKey"

Grep: "\.write\(.credential|\.write\(.password"

Grep: "let.apiKey.=.\"|let.secret.=.\""

```

Insecure Network Detection

```bash

Grep: "http://(?!localhost|127\.0\.0\.1)"

Grep: "AllowsArbitraryLoads.*true"

Grep: "serverTrust|URLAuthenticationChallenge.*useCredential"

```

Sensitive Data in Logs

```bash

Grep: "print\(.password|print\(.token|NSLog.*credential"

Grep: "Logger.password|os_log.secret"

```

• secure-storage.md - Keychain, Data Protection, Secure Enclave
• biometric-auth.md - Face ID, Touch ID, LAContext
• network-security.md - ATS, certificate pinning, TLS
• platform-specifics.md - iOS vs macOS vs watchOS

• [Apple Security Documentation](https://developer.apple.com/documentation/security)
• [OWASP Mobile Security](https://owasp.org/www-project-mobile-security/)
• [Apple Keychain Services](https://developer.apple.com/documentation/security/keychain_services)
• [App Transport Security](https://developer.apple.com/documentation/bundleresources/information_property_list/nsapptransportsecurity)