OWASP Mobile Security Checker
Comprehensive security analysis for Flutter and mobile applications based on OWASP Mobile Top 10 (2024).
Automated Scanners
Four Python scanners cover the most automatable risk categories. Replace <skill-dir> with the skill's install path (e.g. ~/.claude/skills/owasp-mobile-security-checker):
M1 — Hardcoded Secrets
python3 <skill-dir>/scripts/scan_hardcoded_secrets.py /path/to/project
Detects API keys, tokens, passwords, AWS credentials, and Firebase keys in Dart code and config files.
M2 — Dependency Vulnerabilities
python3 <skill-dir>/scripts/check_dependencies.py /path/to/project
Analyzes pubspec.yaml for outdated packages, any version constraints, and known CVEs.
M5 — Network Security
python3 <skill-dir>/scripts/check_network_security.py /path/to/project
Checks HTTP vs HTTPS usage, certificate pinning, Android Network Security Config, and iOS ATS settings.
M9 — Insecure Storage
python3 <skill-dir>/scripts/analyze_storage_security.py /path/to/project
Identifies unencrypted SharedPreferences, plaintext file storage, unencrypted databases, and insecure backup configurations.
Manual Analysis
M3, M4, M6, M7, M8, and M10 require code review. See references/owasp_mobile_top_10_2024.md for Flutter-specific vulnerability patterns, attack flows, and remediation for each category.
Workflow
Is this a comprehensive audit?
├─ YES → Run all 4 scanners → Review JSON outputs → Manual analysis (M3/M4/M6/M7/M8/M10) → Generate report
└─ NO → Continue...
Specific risk category?
├─ M1 → scan_hardcoded_secrets.py
├─ M2 → check_dependencies.py
├─ M5 → check_network_security.py
├─ M9 → analyze_storage_security.py
└─ M3/M4/M6/M7/M8/M10 → references/owasp_mobile_top_10_2024.md → manual analysis
Quick pre-release check?
└─ YES → Run all 4 scanners → Fix CRITICAL and HIGH findings only
Quick Start: Full Audit
# Run all automated scanners from the project root
python3 <skill-dir>/scripts/scan_hardcoded_secrets.py .
python3 <skill-dir>/scripts/check_dependencies.py .
python3 <skill-dir>/scripts/check_network_security.py .
python3 <skill-dir>/scripts/analyze_storage_security.py .
# Outputs produced:
# owasp_m1_secrets_scan.json
# owasp_m2_dependencies_scan.json
# owasp_m5_network_scan.json
# owasp_m9_storage_scan.json
- Prioritise by severity — fix CRITICAL and HIGH before release
- For M3, M4, M6, M7, M8, M10 — see
references/owasp_mobile_top_10_2024.md - Generate remediation plan with code examples and timeline
OWASP Mobile Top 10 (2024) — Quick Reference
| Risk | Issue | Automated? | Key Check |
|---|---|---|---|
| M1 | Hardcoded credentials | ✅ scanner | API keys, tokens in source/config |
| M2 | Vulnerable dependencies | ✅ scanner | Outdated or unconstrained packages |
| M3 | Weak authentication | Manual | Token storage, MFA, session expiry |
| M4 | Input validation | Manual | SQL injection, XSS in WebViews, IDOR |
| M5 | Insecure communication | ✅ scanner | HTTP usage, missing cert pinning |
| M6 | Privacy violations | Manual | PII in logs/analytics, excess permissions |
| M7 | No binary protections | Manual | Missing --obfuscate, no root detection |
| M8 | Misconfiguration | Manual | Debug flags in production, verbose logging |
| M9 | Insecure storage | ✅ scanner | Sensitive data in SharedPreferences |
| M10 | Weak cryptography | Manual | MD5/SHA1/ECB usage, hardcoded keys |
Understanding Scan Results
| Severity | Meaning | Action |
|---|---|---|
| CRITICAL | Exploitable immediately | Fix now — do not release |
| HIGH | Significant vulnerability | Fix before release |
| MEDIUM | Should be addressed | Plan for next sprint |
| LOW | Best practice improvement | Address as time permits |
Common False Positives
- M1: Test/example keys, placeholders like
YOUR_API_KEY - M2: Dev-only dependencies (linters, test tools)
- M5: HTTP for
localhost/127.0.0.1in development - M9: Non-sensitive data in SharedPreferences (theme preference, language)
Always verify findings in context before flagging as vulnerabilities.
When NOT to Use
- Web application security audits — this skill is mobile/Flutter-specific
- Backend API or server security reviews
- As a substitute for professional penetration testing or a formal security audit
- Projects that do not use Flutter/Dart or
pubspec.yaml
Reference Documentation
references/owasp_mobile_top_10_2024.md provides per-risk detail:
- Real-world attack scenarios and examples
- Flutter-specific vulnerability patterns (Dart code)
- Insecure vs secure code examples
- Platform-specific guidance (Android Keystore/NSC, iOS Keychain/ATS)
- Full mitigation strategies
Integration Points
| Stage | Action |
|---|---|
| Pre-commit | Run scan_hardcoded_secrets.py as a lightweight secrets gate |
| Pull requests | Run all 4 scanners, post findings as PR comment |
| Release builds | Full audit including manual analysis for all 10 categories |
| Incident response | Run targeted scanner for the reported vulnerability category |