Agent-skills-standard flutter-security

Enforce OWASP Mobile security standards for Flutter apps. Use when storing data, making network calls, handling tokens/PII, or preparing a release build. (triggers: lib/infrastructure/**, pubspec.yaml, secure_storage, obfuscate, jailbreak, pinning, PII, OWASP)

install

source · Clone the upstream repo

git clone https://github.com/HoangNguyen0403/agent-skills-standard

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/HoangNguyen0403/agent-skills-standard "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/flutter/flutter-security" ~/.claude/skills/hoangnguyen0403-agent-skills-standard-flutter-security && rm -rf "$T"

manifest: skills/flutter/flutter-security/SKILL.md

source content

Mobile Security

Priority: P0 (CRITICAL)

Implementation Workflow

Store secrets securely — Use
```
flutter_secure_storage
```
for tokens/PII. Never use
```
shared_preferences
```
for sensitive data.
Externalize secrets — Never store API keys in Dart code. Use
```
--dart-define
```
or
```
.env
```
files.
Obfuscate releases — Build
```
--obfuscate --split-debug-info=./symbols
```
. Deterrent only — move sensitive logic to backend.
Pin certificates —
```
dio_certificate_pinning
```
for high-security apps to prevent MITM.
Root detection —
```
flutter_jailbreak_detection
```
for root/jailbreak checks in financial/sensitive apps.
Mask PII — Redact PII (email, phone) from all logs and analytics.

Secure Storage & Release Build Examples

See implementation examples for secure storage usage and obfuscated release build commands.

Reference & Examples

SSL Pinning & Secure Storage: references/REFERENCE.md.

Anti-Patterns

No Secrets in SharedPreferences: Use
```
flutter_secure_storage
```
for tokens and PII
No Hardcoded API Keys: Use
```
--dart-define
```
or secure vaults for all secrets
No Unobfuscated Releases: Always build with
```
--obfuscate --split-debug-info
```
No PII in Logs: Mask or omit sensitive data from all logs and analytics events