--- name: security description: Security review and guidance for iOS, macOS, and watchOS apps. Covers secure storage, biometric authentication, network security, and platform-specific patterns. Use when implementing security features or reviewing code for vulnerabilities. allowed-tools: [Read, Glob, Grep] --- # Security Review for Apple Platforms Comprehensive security guidance for iOS, macOS, and watchOS applications. Reviews code for vulnerabilities and provides secure implementation patterns. ## When This Skill Activates Use this skill when the user: - Asks for "security review" or "security audit" - Wants to implement "secure storage" or "Keychain" - Needs "Face ID", "Touch ID", or "biometric authentication" - Asks about "certificate pinning" or "network security" - Mentions "Data Protection" or "encryption" - Wants to store "sensitive data", "credentials", or "tokens" - Asks about "Secure Enclave" or hardware security ## Review Process ### Phase 1: Project Discovery Identify the app's security surface: ```bash # Find security-related code Grep: "SecItem|Keychain|kSecClass" Grep: "LAContext|biometryType|evaluatePolicy" Grep: "URLSession|ATS|NSAppTransportSecurity" Grep: "CryptoKit|SecKey|CC_SHA" ``` Determine: - Platform (iOS, macOS, watchOS, or multi-platform) - Sensitive data types (credentials, health data, financial, PII) - Authentication methods in use - Network communication patterns ### Phase 2: Secure Storage Review Load and apply: **secure-storage.md** Key areas: - Keychain usage patterns - Data Protection classes - Secure Enclave for keys - Avoiding insecure storage (UserDefaults, files) ### Phase 3: Authentication Review Load and apply: **biometric-auth.md** Key areas: - Face ID / Touch ID implementation - Fallback mechanisms - LAContext configuration - Keychain integration with biometrics ### Phase 4: Network Security Review Load and apply: **network-security.md** Key areas: - App Transport Security configuration - Certificate pinning - TLS best practices - Secure API communication ### Phase 5: Platform-Specific Review Load and apply: **platform-specifics.md** Key areas: - iOS: Data Protection, App Groups, Keychain sharing - macOS: Sandbox, Hardened Runtime, Keychain access - watchOS: Health data, Watch Connectivity security ## Output Format Present findings in this structure: ```markdown # Security Review: [App Name] **Platform**: iOS / macOS / watchOS / Universal **Review Date**: [Date] **Risk Level**: Critical / High / Medium / Low ## Summary | Category | Status | Issues | |----------|--------|--------| | Secure Storage | ✅/⚠️/❌ | X issues | | Authentication | ✅/⚠️/❌ | X issues | | Network Security | ✅/⚠️/❌ | X issues | | Platform Security | ✅/⚠️/❌ | X issues | --- ## 🔴 Critical Vulnerabilities Security issues that expose user data or enable attacks. ### [Issue Title] **File**: `path/to/file.swift:123` **Risk**: [What could happen if exploited] **OWASP Category**: [If applicable] **Vulnerable Code**: ```swift // current insecure code ``` **Secure Implementation**: ```swift // fixed secure code ``` --- ## 🟠 High Priority Issues Issues that weaken security posture. [Same format as above] --- ## 🟡 Medium Priority Issues Issues that should be addressed for defense in depth. [Same format as above] --- ## 🟢 Recommendations Security hardening suggestions. [Same format as above] --- ## ✅ Security Strengths What the app does well: - [Strength 1] - [Strength 2] --- ## Action Plan 1. **[Critical]** [First fix] 2. **[Critical]** [Second fix] 3. **[High]** [Third fix] ... ``` ## Priority Classification ### 🔴 Critical - Credentials stored in plain text or UserDefaults - Disabled SSL/TLS validation - Hardcoded secrets or API keys - SQL injection or code injection vulnerabilities - Missing authentication on sensitive operations ### 🟠 High - Keychain without appropriate access controls - Missing biometric authentication for sensitive data - Weak cryptographic implementations - Overly permissive entitlements - Sensitive data in logs ### 🟡 Medium - Missing certificate pinning - Biometric fallback too permissive - Data Protection class could be stronger - Missing jailbreak/integrity detection ### 🟢 Low/Recommendations - Additional hardening measures - Defense in depth improvements - Code organization for security clarity ## Quick Checks ### Insecure Storage Detection ```bash Grep: "UserDefaults.*password|UserDefaults.*token|UserDefaults.*secret|UserDefaults.*apiKey" Grep: "\.write\(.*credential|\.write\(.*password" Grep: "let.*apiKey.*=.*\"|let.*secret.*=.*\"" ``` ### Insecure Network Detection ```bash Grep: "http://(?!localhost|127\.0\.0\.1)" Grep: "AllowsArbitraryLoads.*true" Grep: "serverTrust|URLAuthenticationChallenge.*useCredential" ``` ### Sensitive Data in Logs ```bash Grep: "print\(.*password|print\(.*token|NSLog.*credential" Grep: "Logger.*password|os_log.*secret" ``` ## References - **secure-storage.md** - Keychain, Data Protection, Secure Enclave - **biometric-auth.md** - Face ID, Touch ID, LAContext - **network-security.md** - ATS, certificate pinning, TLS - **platform-specifics.md** - iOS vs macOS vs watchOS ## External Resources - [Apple Security Documentation](https://developer.apple.com/documentation/security) - [OWASP Mobile Security](https://owasp.org/www-project-mobile-security/) - [Apple Keychain Services](https://developer.apple.com/documentation/security/keychain_services) - [App Transport Security](https://developer.apple.com/documentation/bundleresources/information_property_list/nsapptransportsecurity)