Claude Code Plugins

Community-maintained marketplace

Feedback

owasp-mobile-security-checker

@Harishwarrior/flutter-claude-skills
2
0

Analyze Flutter and mobile applications for OWASP Mobile Top 10 (2024) security compliance. Use this skill when performing security audits, vulnerability assessments, or compliance checks on mobile applications. Performs automated scans for hardcoded secrets, insecure storage, weak cryptography, network security issues, and provides detailed remediation guidance.

Install Skill

1Download skill
2Enable skills in Claude

Open claude.ai/settings/capabilities and find the "Skills" section

3Upload to Claude

Click "Upload skill" and select the downloaded ZIP file

Note: Please verify skill by going through its instructions before using it.

SKILL.md

name owasp-mobile-security-checker
description Analyze Flutter and mobile applications for OWASP Mobile Top 10 (2024) security compliance. Use this skill when performing security audits, vulnerability assessments, or compliance checks on mobile applications. Performs automated scans for hardcoded secrets, insecure storage, weak cryptography, network security issues, and provides detailed remediation guidance.

OWASP Mobile Security Checker

Comprehensive security analysis tool for Flutter and mobile applications based on the OWASP Mobile Top 10 (2024) guidelines.

Overview

This skill enables thorough security auditing of Flutter mobile applications by identifying vulnerabilities across all ten OWASP Mobile Top 10 risk categories. It combines automated scanning scripts with manual analysis guidelines to provide comprehensive security assessments and actionable remediation plans.

Core Capabilities

1. Automated Vulnerability Scanning

Run Python-based scanners to detect common security issues:

M1 - Hardcoded Secrets Scanner**

python3 scripts/scan_hardcoded_secrets.py /path/to/project

Detects API keys, tokens, passwords, AWS credentials, Firebase keys, and other hardcoded secrets in Dart code and configuration files.

M2 - Dependency Security Checker**

python3 scripts/check_dependencies.py /path/to/project

Analyzes pubspec.yaml for outdated packages, insecure version constraints (any), and known vulnerabilities.

M5 - Network Security Validator**

python3 scripts/check_network_security.py /path/to/project

Checks for HTTP vs HTTPS usage, certificate pinning, Android Network Security Config, and iOS App Transport Security settings.

M9 - Storage Security Analyzer**

python3 scripts/analyze_storage_security.py /path/to/project

Identifies unencrypted SharedPreferences usage, plaintext file storage, unencrypted databases, and insecure backup configurations.

2. Manual Security Analysis

For risks requiring code review and architectural assessment:

  • M3 (Authentication/Authorization): Evaluate token management, MFA, biometrics, and session handling
  • M4 (Input/Output Validation): Check input sanitization, parameterized queries, and injection prevention
  • M6 (Privacy Controls): Review permissions, PII handling, consent mechanisms, and data minimization
  • M7 (Binary Protections): Verify obfuscation, root detection, and anti-debugging measures
  • M8 (Security Misconfiguration): Inspect debug flags, logging, and platform configurations
  • M10 (Cryptography): Validate algorithm choices, key management, and encryption modes

3. Comprehensive Security Reports

Generate detailed reports with:

  • Severity-based prioritization (CRITICAL → HIGH → MEDIUM → LOW)
  • Flutter-specific code examples (insecure vs secure patterns)
  • Actionable remediation steps with implementation guidance
  • OWASP Mobile Top 10 risk categorization

Workflow Decision Tree

Start here to determine your approach:

Is this a comprehensive security audit?
├─ YES → Run all 4 automated scanners → Review results → Perform manual analysis → Generate report
└─ NO → Continue...

Is this for a specific OWASP risk category?
├─ M1 (Credentials) → Run scan_hardcoded_secrets.py → Review findings
├─ M2 (Dependencies) → Run check_dependencies.py → Update packages
├─ M5 (Network) → Run check_network_security.py → Implement certificate pinning
├─ M9 (Storage) → Run analyze_storage_security.py → Use encrypted storage
└─ Other (M3/M4/M6/M7/M8/M10) → Load reference docs → Perform manual analysis

Is this a quick security check before release?
└─ YES → Run all automated scanners → Focus on CRITICAL/HIGH findings → Fix blockers

Quick Start: Comprehensive Audit

Perform a complete OWASP security audit:

  1. Run automated scans (from project root):

    python3 .claude/skills/owasp-mobile-security-checker/scripts/scan_hardcoded_secrets.py .
python3 .claude/skills/owasp-mobile-security-checker/scripts/check_dependencies.py .
python3 .claude/skills/owasp-mobile-security-checker/scripts/analyze_storage_security.py .
python3 .claude/skills/owasp-mobile-security-checker/scripts/check_network_security.py .

  2. Review JSON outputs:

    • owasp_m1_secrets_scan.json
    • owasp_m2_dependencies_scan.json
    • owasp_m5_network_scan.json
    • owasp_m9_storage_scan.json

  3. Prioritize by severity: Address CRITICAL and HIGH findings first

  4. Load reference documentation for detailed information:

    Read references/owasp_mobile_top_10_2024.md

  5. Perform manual analysis for remaining risks (M3, M4, M6, M7, M8, M10)

  6. Generate remediation plan with code examples and timeline

Manual Analysis Guidelines

M3: Authentication & Authorization

What to check:

  • Token storage using flutter_secure_storage (not SharedPreferences)
  • Token expiration and refresh mechanisms
  • Multi-factor authentication implementation
  • Server-side authorization enforcement

Code patterns to find:

// Search for: SharedPreferences + setString with 'token', 'auth', 'password'
// Flag: Plaintext credential storage

// Verify: FlutterSecureStorage usage for sensitive data
// Check: Token expiration logic exists

M4: Input/Output Validation

What to check:

  • Input validation on all user inputs (forms, URLs, file paths)
  • Parameterized database queries (no string interpolation)
  • Output encoding in WebViews
  • API response validation

Code patterns to find:

// Search for: rawQuery, rawInsert with string interpolation ($)
// Flag: SQL injection vulnerability

// Search for: WebView without proper sanitization
// Flag: XSS vulnerability

M6: Privacy Controls

What to check:

  • Minimal permission requests (only necessary)
  • No PII in analytics events or logs
  • Consent mechanisms for data collection
  • Proper anonymization/pseudonymization

Code patterns to find:

// Search for: FirebaseAnalytics.logEvent with email, phone, name
// Flag: PII in analytics

// Search for: print(), log() with user data
// Flag: PII in logs

M7: Binary Protections

What to verify:

# Check build commands use obfuscation:
flutter build apk --release --obfuscate --split-debug-info=./debug-info

# Search for root detection packages:
grep -r "flutter_jailbreak_detection" pubspec.yaml
grep -r "root_detector" pubspec.yaml

# Verify debug mode checks:
grep -r "kDebugMode" lib/

M8: Security Misconfiguration

What to check:

  • Debug flags disabled in production
  • Logging levels appropriate for release
  • Minimal platform permissions in manifests
  • No development endpoints in production code

Code patterns to find:

// Flag: Debug code that executes in release builds
if (kDebugMode) { print("..."); } // This compiles in release!

// Preferred: assert(() { debugPrint("..."); return true; }());

M10: Cryptography

What to check:

  • Strong algorithms (AES-256 GCM, not MD5/SHA1)
  • Secure key storage (Keystore/Keychain, not hardcoded)
  • Proper encryption modes (GCM, not ECB)
  • Cryptographically secure RNG (Random.secure())

Code patterns to find:

// Search for: md5, sha1, des (weak algorithms)
// Search for: AESMode.ecb (insecure mode)
// Search for: 'encryption_key', 'secret_key' (hardcoded keys)

Understanding Scan Results

Severity Levels

  • CRITICAL: Immediate security risk requiring urgent action

    • Examples: Disabled certificate validation, exposed production credentials
    • Action: Fix immediately, do not release

  • HIGH: Significant vulnerability requiring prompt remediation

    • Examples: Hardcoded API keys, unencrypted sensitive storage
    • Action: Fix before release

  • MEDIUM: Security concern that should be addressed

    • Examples: Missing certificate pinning, outdated dependencies
    • Action: Plan remediation, fix in next sprint

  • LOW: Best practice or minor improvement

    • Examples: Verbose logging, local networking allowed
    • Action: Address as time permits

Common False Positives

Be aware of legitimate cases that may trigger findings:

  • M1: Test/example API keys, environment placeholders (YOUR_API_KEY)
  • M5: HTTP for localhost/127.0.0.1 during development
  • M9: Non-sensitive data in SharedPreferences (user preferences)
  • M2: Development dependencies (linters, test tools)

Always verify findings in context before flagging as vulnerabilities.

Reference Documentation

The references/owasp_mobile_top_10_2024.md file provides:

  • Detailed explanations of each OWASP Mobile Top 10 risk
  • Real-world attack scenarios and examples
  • Flutter-specific vulnerability patterns
  • Complete mitigation strategies
  • Secure vs insecure code examples
  • Platform-specific considerations (Android/iOS)

When to load this reference:

  • Need deep understanding of a specific risk category
  • Creating detailed remediation documentation
  • Explaining vulnerabilities to stakeholders
  • Looking for Flutter-specific code patterns
  • Researching platform-specific security configurations

Example: Targeted Security Fix

Scenario: Found HIGH severity finding for hardcoded API key

  1. Locate the issue:

    File: lib/services/api_client.dart:15
Issue: Hardcoded API key
Code: const String apiKey = "sk_live_ABC123...";

  2. Understand the risk: Load references/owasp_mobile_top_10_2024.md and review M1 section

  3. Implement fix:

    // Before (INSECURE):
const String apiKey = "sk_live_ABC123...";

// After (SECURE):
final secureStorage = FlutterSecureStorage();
String? apiKey = await secureStorage.read(key: 'api_key');
// Key injected at build time or fetched from secure backend

  4. Verify fix: Re-run scan_hardcoded_secrets.py to confirm issue resolved

  5. Document: Update security review with remediation details

Best Practices

For Development Teams:

  • Run automated scans in CI/CD pipeline on every PR
  • Establish security gates (no CRITICAL findings in production)
  • Conduct quarterly comprehensive security audits
  • Maintain security backlog and track remediation

For Security Auditors:

  • Combine automated scans with manual code review
  • Test fixes to ensure they don't break functionality
  • Document security exceptions with business justification
  • Provide training on secure coding practices

For All Users:

  • Keep scan scripts updated with latest patterns
  • Share findings and recommendations with team
  • Integrate security early in development cycle
  • Treat OWASP compliance as ongoing, not one-time

Integration Points

Recommended workflow integration:

  • Pre-commit: Lightweight secret scanning
  • Pull Requests: Automated scans with security report comment
  • Release Builds: Comprehensive audit including manual analysis
  • Production: Continuous monitoring and periodic reviews
  • Incident Response: Targeted scans when vulnerabilities reported

Additional Resources

This skill references authoritative sources:

  • OWASP Mobile Top 10 Project (2024)
  • Flutter Security Best Practices
  • Android Security Guidelines (Keystore, Network Security Config)
  • iOS Security Guide (Keychain, App Transport Security)
  • Platform-specific documentation and security research