OWASP Mobile Security Checker Skill

OWASP Mobile Security Checker

Comprehensive security analysis for Flutter and mobile applications based on OWASP Mobile Top 10 (2024).

Automated Scanners

Four Python scanners cover the most automatable risk categories. Replace <skill-dir> with the skill's install path (e.g. ~/.claude/skills/owasp-mobile-security-checker):

M1 — Hardcoded Secrets

python3 <skill-dir>/scripts/scan_hardcoded_secrets.py /path/to/project

Detects API keys, tokens, passwords, AWS credentials, and Firebase keys in Dart code and config files.

M2 — Dependency Vulnerabilities

python3 <skill-dir>/scripts/check_dependencies.py /path/to/project

Analyzes pubspec.yaml for outdated packages, any version constraints, and known CVEs.

M5 — Network Security

python3 <skill-dir>/scripts/check_network_security.py /path/to/project

Checks HTTP vs HTTPS usage, certificate pinning, Android Network Security Config, and iOS ATS settings.

M9 — Insecure Storage

python3 <skill-dir>/scripts/analyze_storage_security.py /path/to/project

Identifies unencrypted SharedPreferences, plaintext file storage, unencrypted databases, and insecure backup configurations.

Manual Analysis

M3, M4, M6, M7, M8, and M10 require code review. See references/owasp_mobile_top_10_2024.md for Flutter-specific vulnerability patterns, attack flows, and remediation for each category.

Workflow

Is this a comprehensive audit?
├─ YES → Run all 4 scanners → Review JSON outputs → Manual analysis (M3/M4/M6/M7/M8/M10) → Generate report
└─ NO → Continue...

Specific risk category?
├─ M1 → scan_hardcoded_secrets.py
├─ M2 → check_dependencies.py
├─ M5 → check_network_security.py
├─ M9 → analyze_storage_security.py
└─ M3/M4/M6/M7/M8/M10 → references/owasp_mobile_top_10_2024.md → manual analysis

Quick pre-release check?
└─ YES → Run all 4 scanners → Fix CRITICAL and HIGH findings only

Quick Start: Full Audit

# Run all automated scanners from the project root
python3 <skill-dir>/scripts/scan_hardcoded_secrets.py .
python3 <skill-dir>/scripts/check_dependencies.py .
python3 <skill-dir>/scripts/check_network_security.py .
python3 <skill-dir>/scripts/analyze_storage_security.py .

# Outputs produced:
#   owasp_m1_secrets_scan.json
#   owasp_m2_dependencies_scan.json
#   owasp_m5_network_scan.json
#   owasp_m9_storage_scan.json

Prioritise by severity — fix CRITICAL and HIGH before release
For M3, M4, M6, M7, M8, M10 — see references/owasp_mobile_top_10_2024.md
Generate remediation plan with code examples and timeline

OWASP Mobile Top 10 (2024) — Quick Reference

| Risk | Issue | Automated? | Key Check | | --- | --- | --- | --- | | M1 | Hardcoded credentials | ✅ scanner | API keys, tokens in source/config | | M2 | Vulnerable dependencies | ✅ scanner | Outdated or unconstrained packages | | M3 | Weak authentication | Manual | Token storage, MFA, session expiry | | M4 | Input validation | Manual | SQL injection, XSS in WebViews, IDOR | | M5 | Insecure communication | ✅ scanner | HTTP usage, missing cert pinning | | M6 | Privacy violations | Manual | PII in logs/analytics, excess permissions | | M7 | No binary protections | Manual | Missing --obfuscate, no root detection | | M8 | Misconfiguration | Manual | Debug flags in production, verbose logging | | M9 | Insecure storage | ✅ scanner | Sensitive data in SharedPreferences | | M10 | Weak cryptography | Manual | MD5/SHA1/ECB usage, hardcoded keys |

Understanding Scan Results

| Severity | Meaning | Action | | --- | --- | --- | | CRITICAL | Exploitable immediately | Fix now — do not release | | HIGH | Significant vulnerability | Fix before release | | MEDIUM | Should be addressed | Plan for next sprint | | LOW | Best practice improvement | Address as time permits |

Common False Positives

M1: Test/example keys, placeholders like YOUR_API_KEY
M2: Dev-only dependencies (linters, test tools)
M5: HTTP for localhost/127.0.0.1 in development
M9: Non-sensitive data in SharedPreferences (theme preference, language)

Always verify findings in context before flagging as vulnerabilities.

When NOT to Use

Web application security audits — this skill is mobile/Flutter-specific
Backend API or server security reviews
As a substitute for professional penetration testing or a formal security audit
Projects that do not use Flutter/Dart or pubspec.yaml

Reference Documentation

references/owasp_mobile_top_10_2024.md provides per-risk detail:

Real-world attack scenarios and examples
Flutter-specific vulnerability patterns (Dart code)
Insecure vs secure code examples
Platform-specific guidance (Android Keystore/NSC, iOS Keychain/ATS)
Full mitigation strategies

Integration Points

| Stage | Action | | --- | --- | | Pre-commit | Run scan_hardcoded_secrets.py as a lightweight secrets gate | | Pull requests | Run all 4 scanners, post findings as PR comment | | Release builds | Full audit including manual analysis for all 10 categories | | Incident response | Run targeted scanner for the reported vulnerability category |

Agent Skills: OWASP Mobile Security Checker

Install this agent skill to your local

Skill Files