Mobile Security Skill

Comprehensive mobile application security implementation for iOS and Android platforms, covering OWASP Mobile Security guidelines, secure storage, authentication, and security hardening.

Overview

This skill provides capabilities for implementing mobile security best practices, including secure data storage, network security, authentication mechanisms, and compliance with OWASP Mobile Application Security Verification Standard (MASVS).

Capabilities

Secure Storage Implementation

• Configure iOS Keychain Services for sensitive data
• Set up Android Keystore for cryptographic operations
• Implement encrypted SharedPreferences/UserDefaults
• Manage secure key generation and storage
• Handle secure credential management

Certificate Pinning

• Implement TrustKit for iOS certificate pinning
• Configure OkHttp CertificatePinner for Android
• Set up Network Security Config (Android)
• Configure App Transport Security (iOS)
• Validate and rotate pinned certificates

Biometric Authentication

• Implement Face ID and Touch ID for iOS
• Configure Fingerprint/BiometricPrompt for Android
• Handle fallback authentication mechanisms
• Manage biometric enrollment states
• Secure biometric-protected keychain/keystore items

Security Hardening

• Implement jailbreak/root detection
• Configure code obfuscation (ProGuard/R8, Swiftshield)
• Set up anti-tampering mechanisms
• Implement runtime integrity checks
• Configure secure debugging settings

OWASP MASVS Compliance

• Audit against MASVS Level 1 and Level 2
• Generate compliance checklists
• Identify security vulnerabilities
• Recommend remediation strategies
• Document security controls

Prerequisites

iOS Development

# TrustKit for certificate pinning
pod 'TrustKit'

# Keychain wrapper
pod 'KeychainAccess'

Android Development

// build.gradle
dependencies {
    implementation 'androidx.security:security-crypto:1.1.0-alpha06'
    implementation 'androidx.biometric:biometric:1.1.0'
}

Security Tools

# OWASP Mobile Security Testing Guide tools
pip install objection
brew install frida-tools

Usage Patterns

iOS Keychain Storage

import Security

class KeychainManager {
    static func save(key: String, data: Data) -> Bool {
        let query: [String: Any] = [
            kSecClass as String: kSecClassGenericPassword,
            kSecAttrAccount as String: key,
            kSecValueData as String: data,
            kSecAttrAccessible as String: kSecAttrAccessibleWhenUnlockedThisDeviceOnly
        ]

        SecItemDelete(query as CFDictionary)
        let status = SecItemAdd(query as CFDictionary, nil)
        return status == errSecSuccess
    }

    static func load(key: String) -> Data? {
        let query: [String: Any] = [
            kSecClass as String: kSecClassGenericPassword,
            kSecAttrAccount as String: key,
            kSecReturnData as String: true,
            kSecMatchLimit as String: kSecMatchLimitOne
        ]

        var result: AnyObject?
        let status = SecItemCopyMatching(query as CFDictionary, &result)
        return status == errSecSuccess ? result as? Data : nil
    }
}

Android EncryptedSharedPreferences

import androidx.security.crypto.EncryptedSharedPreferences
import androidx.security.crypto.MasterKey

class SecureStorage(context: Context) {
    private val masterKey = MasterKey.Builder(context)
        .setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
        .build()

    private val sharedPreferences = EncryptedSharedPreferences.create(
        context,
        "secure_prefs",
        masterKey,
        EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
        EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM
    )

    fun saveToken(token: String) {
        sharedPreferences.edit().putString("auth_token", token).apply()
    }

    fun getToken(): String? {
        return sharedPreferences.getString("auth_token", null)
    }
}

Certificate Pinning (iOS - TrustKit)

import TrustKit

class NetworkSecurityManager {
    static func configurePinning() {
        let trustKitConfig: [String: Any] = [
            kTSKSwizzleNetworkDelegates: false,
            kTSKPinnedDomains: [
                "api.example.com": [
                    kTSKEnforcePinning: true,
                    kTSKIncludeSubdomains: true,
                    kTSKExpirationDate: "2027-01-01",
                    kTSKPublicKeyHashes: [
                        "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
                        "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB="
                    ]
                ]
            ]
        ]
        TrustKit.initSharedInstance(withConfiguration: trustKitConfig)
    }
}

Certificate Pinning (Android - OkHttp)

import okhttp3.CertificatePinner
import okhttp3.OkHttpClient

val certificatePinner = CertificatePinner.Builder()
    .add("api.example.com", "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=")
    .add("api.example.com", "sha256/BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=")
    .build()

val client = OkHttpClient.Builder()
    .certificatePinner(certificatePinner)
    .build()

Biometric Authentication (iOS)

import LocalAuthentication

class BiometricAuth {
    func authenticate(completion: @escaping (Bool, Error?) -> Void) {
        let context = LAContext()
        var error: NSError?

        if context.canEvaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, error: &error) {
            context.evaluatePolicy(
                .deviceOwnerAuthenticationWithBiometrics,
                localizedReason: "Authenticate to access secure data"
            ) { success, error in
                DispatchQueue.main.async {
                    completion(success, error)
                }
            }
        } else {
            completion(false, error)
        }
    }
}

Biometric Authentication (Android)

import androidx.biometric.BiometricPrompt
import androidx.fragment.app.FragmentActivity

class BiometricAuth(private val activity: FragmentActivity) {
    fun authenticate(onSuccess: () -> Unit, onError: (String) -> Unit) {
        val executor = ContextCompat.getMainExecutor(activity)

        val biometricPrompt = BiometricPrompt(activity, executor,
            object : BiometricPrompt.AuthenticationCallback() {
                override fun onAuthenticationSucceeded(result: BiometricPrompt.AuthenticationResult) {
                    onSuccess()
                }

                override fun onAuthenticationError(errorCode: Int, errString: CharSequence) {
                    onError(errString.toString())
                }
            })

        val promptInfo = BiometricPrompt.PromptInfo.Builder()
            .setTitle("Biometric Authentication")
            .setSubtitle("Authenticate to access secure data")
            .setNegativeButtonText("Cancel")
            .build()

        biometricPrompt.authenticate(promptInfo)
    }
}

Integration with Babysitter SDK

Task Definition Example

const mobileSecurityTask = defineTask({
  name: 'mobile-security-implementation',
  description: 'Implement mobile security controls',

  inputs: {
    platform: { type: 'string', required: true, enum: ['ios', 'android', 'both'] },
    securityLevel: { type: 'string', required: true, enum: ['L1', 'L2'] },
    features: { type: 'array', items: { type: 'string' } },
    projectPath: { type: 'string', required: true }
  },

  outputs: {
    implementedControls: { type: 'array' },
    complianceReport: { type: 'object' },
    securityAuditPath: { type: 'string' }
  },

  async run(inputs, taskCtx) {
    return {
      kind: 'skill',
      title: `Implement ${inputs.securityLevel} security for ${inputs.platform}`,
      skill: {
        name: 'mobile-security',
        context: {
          operation: 'implement_security',