Babysitter mobile-security
Mobile application security skill for implementing OWASP MASVS compliance, secure storage, certificate pinning, biometric authentication, and security hardening across iOS and Android platforms.
install
source · Clone the upstream repo
git clone https://github.com/a5c-ai/babysitter
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/a5c-ai/babysitter "$T" && mkdir -p ~/.claude/skills && cp -r "$T/library/specializations/mobile-development/skills/mobile-security" ~/.claude/skills/a5c-ai-babysitter-mobile-security && rm -rf "$T"
manifest:
library/specializations/mobile-development/skills/mobile-security/SKILL.mdtags
source content
Mobile Security Skill
Comprehensive mobile application security implementation for iOS and Android platforms, covering OWASP Mobile Security guidelines, secure storage, authentication, and security hardening.
Overview
This skill provides capabilities for implementing mobile security best practices, including secure data storage, network security, authentication mechanisms, and compliance with OWASP Mobile Application Security Verification Standard (MASVS).
Capabilities
Secure Storage Implementation
- Configure iOS Keychain Services for sensitive data
- Set up Android Keystore for cryptographic operations
- Implement encrypted SharedPreferences/UserDefaults
- Manage secure key generation and storage
- Handle secure credential management
Certificate Pinning
- Implement TrustKit for iOS certificate pinning
- Configure OkHttp CertificatePinner for Android
- Set up Network Security Config (Android)
- Configure App Transport Security (iOS)
- Validate and rotate pinned certificates
Biometric Authentication
- Implement Face ID and Touch ID for iOS
- Configure Fingerprint/BiometricPrompt for Android
- Handle fallback authentication mechanisms
- Manage biometric enrollment states
- Secure biometric-protected keychain/keystore items
Security Hardening
- Implement jailbreak/root detection
- Configure code obfuscation (ProGuard/R8, Swiftshield)
- Set up anti-tampering mechanisms
- Implement runtime integrity checks
- Configure secure debugging settings
OWASP MASVS Compliance
- Audit against MASVS Level 1 and Level 2
- Generate compliance checklists
- Identify security vulnerabilities
- Recommend remediation strategies
- Document security controls
Prerequisites
iOS Development
# TrustKit for certificate pinning pod 'TrustKit' # Keychain wrapper pod 'KeychainAccess'
Android Development
// build.gradle dependencies { implementation 'androidx.security:security-crypto:1.1.0-alpha06' implementation 'androidx.biometric:biometric:1.1.0' }
Security Tools
# OWASP Mobile Security Testing Guide tools pip install objection brew install frida-tools
Usage Patterns
iOS Keychain Storage
import Security class KeychainManager { static func save(key: String, data: Data) -> Bool { let query: [String: Any] = [ kSecClass as String: kSecClassGenericPassword, kSecAttrAccount as String: key, kSecValueData as String: data, kSecAttrAccessible as String: kSecAttrAccessibleWhenUnlockedThisDeviceOnly ] SecItemDelete(query as CFDictionary) let status = SecItemAdd(query as CFDictionary, nil) return status == errSecSuccess } static func load(key: String) -> Data? { let query: [String: Any] = [ kSecClass as String: kSecClassGenericPassword, kSecAttrAccount as String: key, kSecReturnData as String: true, kSecMatchLimit as String: kSecMatchLimitOne ] var result: AnyObject? let status = SecItemCopyMatching(query as CFDictionary, &result) return status == errSecSuccess ? result as? Data : nil } }
Android EncryptedSharedPreferences
import androidx.security.crypto.EncryptedSharedPreferences import androidx.security.crypto.MasterKey class SecureStorage(context: Context) { private val masterKey = MasterKey.Builder(context) .setKeyScheme(MasterKey.KeyScheme.AES256_GCM) .build() private val sharedPreferences = EncryptedSharedPreferences.create( context, "secure_prefs", masterKey, EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV, EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM ) fun saveToken(token: String) { sharedPreferences.edit().putString("auth_token", token).apply() } fun getToken(): String? { return sharedPreferences.getString("auth_token", null) } }
Certificate Pinning (iOS - TrustKit)
import TrustKit class NetworkSecurityManager { static func configurePinning() { let trustKitConfig: [String: Any] = [ kTSKSwizzleNetworkDelegates: false, kTSKPinnedDomains: [ "api.example.com": [ kTSKEnforcePinning: true, kTSKIncludeSubdomains: true, kTSKExpirationDate: "2027-01-01", kTSKPublicKeyHashes: [ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=", "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=" ] ] ] ] TrustKit.initSharedInstance(withConfiguration: trustKitConfig) } }
Certificate Pinning (Android - OkHttp)
import okhttp3.CertificatePinner import okhttp3.OkHttpClient val certificatePinner = CertificatePinner.Builder() .add("api.example.com", "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=") .add("api.example.com", "sha256/BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=") .build() val client = OkHttpClient.Builder() .certificatePinner(certificatePinner) .build()
Biometric Authentication (iOS)
import LocalAuthentication class BiometricAuth { func authenticate(completion: @escaping (Bool, Error?) -> Void) { let context = LAContext() var error: NSError? if context.canEvaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, error: &error) { context.evaluatePolicy( .deviceOwnerAuthenticationWithBiometrics, localizedReason: "Authenticate to access secure data" ) { success, error in DispatchQueue.main.async { completion(success, error) } } } else { completion(false, error) } } }
Biometric Authentication (Android)
import androidx.biometric.BiometricPrompt import androidx.fragment.app.FragmentActivity class BiometricAuth(private val activity: FragmentActivity) { fun authenticate(onSuccess: () -> Unit, onError: (String) -> Unit) { val executor = ContextCompat.getMainExecutor(activity) val biometricPrompt = BiometricPrompt(activity, executor, object : BiometricPrompt.AuthenticationCallback() { override fun onAuthenticationSucceeded(result: BiometricPrompt.AuthenticationResult) { onSuccess() } override fun onAuthenticationError(errorCode: Int, errString: CharSequence) { onError(errString.toString()) } }) val promptInfo = BiometricPrompt.PromptInfo.Builder() .setTitle("Biometric Authentication") .setSubtitle("Authenticate to access secure data") .setNegativeButtonText("Cancel") .build() biometricPrompt.authenticate(promptInfo) } }
Integration with Babysitter SDK
Task Definition Example
const mobileSecurityTask = defineTask({ name: 'mobile-security-implementation', description: 'Implement mobile security controls', inputs: { platform: { type: 'string', required: true, enum: ['ios', 'android', 'both'] }, securityLevel: { type: 'string', required: true, enum: ['L1', 'L2'] }, features: { type: 'array', items: { type: 'string' } }, projectPath: { type: 'string', required: true } }, outputs: { implementedControls: { type: 'array' }, complianceReport: { type: 'object' }, securityAuditPath: { type: 'string' } }, async run(inputs, taskCtx) { return { kind: 'skill', title: `Implement ${inputs.securityLevel} security for ${inputs.platform}`, skill: { name: 'mobile-security', context: { operation: 'implement_security', platform: inputs.platform, securityLevel: inputs.securityLevel, features: inputs.features, projectPath: inputs.projectPath } }, io: { inputJsonPath: `tasks/${taskCtx.effectId}/input.json`, outputJsonPath: `tasks/${taskCtx.effectId}/result.json` } }; } });
MCP Server Integration
Using owasp-mobile-security-checker
{ "mcpServers": { "owasp-mobile": { "command": "npx", "args": ["owasp-mobile-security-checker"], "env": { "PROJECT_PATH": "/path/to/mobile/project" } } } }
Available MCP Tools
- Scan iOS project for OWASP vulnerabilitiesowasp_scan_ios
- Scan Android project for OWASP vulnerabilitiesowasp_scan_android
- Validate iOS Keychain implementationcheck_keychain_usage
- Validate Android Keystore implementationcheck_keystore_usage
- Check certificate pinning configurationvalidate_certificate_pinning
- Audit biometric authentication implementationaudit_biometric_auth
OWASP MASVS Checklist
Storage (MASVS-STORAGE)
- Sensitive data not stored in plaintext
- Sensitive data not in app logs
- Sensitive data not shared with third parties
- Keyboard cache disabled for sensitive inputs
- Clipboard disabled for sensitive data
- Sensitive data excluded from backups
Cryptography (MASVS-CRYPTO)
- Strong cryptographic algorithms used
- Cryptographic keys properly managed
- Random number generation secure
- No deprecated crypto functions
Authentication (MASVS-AUTH)
- Biometric authentication properly implemented
- Session management secure
- Password policies enforced
- Multi-factor authentication available
Network (MASVS-NETWORK)
- TLS used for all connections
- Certificate pinning implemented
- Certificate validation not bypassed
- ATS/Network Security Config properly configured
Platform (MASVS-PLATFORM)
- WebView properly configured
- Deep links validated
- IPC mechanisms secured
- Screenshots prevented for sensitive screens
Code Quality (MASVS-CODE)
- Code obfuscation enabled
- Debugging disabled in release
- Root/jailbreak detection implemented
- Anti-tampering measures in place
Best Practices
- Defense in Depth: Layer multiple security controls
- Secure by Default: Default to most secure configuration
- Least Privilege: Request only necessary permissions
- Data Minimization: Store only essential sensitive data
- Regular Audits: Continuously assess security posture
- Key Rotation: Implement certificate and key rotation plans