Apple平台安全审查指南：iOS/macOS/watchOS应用漏洞检测与安全实现

security by rshankras/claude-code-apple-skills

102 周安装量

158 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/rshankras/claude-code-apple-skills --skill security

iOS macOS 安全

🇨🇳中文介绍

Apple 平台安全审查

为 iOS、macOS 和 watchOS 应用程序提供全面的安全指导。审查代码中的漏洞并提供安全的实现模式。

此技能何时激活

当用户出现以下情况时使用此技能：

询问“安全审查”或“安全审计”
想要实现“安全存储”或“Keychain”
需要“Face ID”、“Touch ID”或“生物识别认证”
询问关于“证书固定”或“网络安全”
提及“数据保护”或“加密”
想要存储“敏感数据”、“凭证”或“令牌”
询问关于“Secure Enclave”或硬件安全

审查流程

阶段 1：项目发现

识别应用的安全层面：

# 查找与安全相关的代码
Grep: "SecItem|Keychain|kSecClass"
Grep: "LAContext|biometryType|evaluatePolicy"
Grep: "URLSession|ATS|NSAppTransportSecurity"
Grep: "CryptoKit|SecKey|CC_SHA"

确定：

平台（iOS、macOS、watchOS 或多平台）
敏感数据类型（凭证、健康数据、财务数据、个人身份信息）
使用的身份验证方法
网络通信模式

阶段 2：安全存储审查

加载并应用：secure-storage.md

关键领域：

Keychain 使用模式
数据保护类
用于密钥的 Secure Enclave
避免不安全存储（UserDefaults、文件）

阶段 3：身份验证审查

加载并应用：biometric-auth.md

关键领域：

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

相关 Skills

Azure RBAC 权限管理工具：查找最小角色、创建自定义角色与自动化分配

142,000 周安装

OpenClaw 安全 Linux 云部署指南：私有优先、SSH隧道、Podman容器化

45,000 周安装

Linux云主机安全托管指南：从SSH加固到HTTPS部署

44,900 周安装

xdrop 文件传输脚本：Bun 环境下安全上传下载工具，支持加密分享

42,100 周安装

# 安全审查：[应用名称]

**平台**：iOS / macOS / watchOS / Universal
**审查日期**：[日期]
**风险等级**：Critical / High / Medium / Low

## 摘要

| 类别 | 状态 | 问题 |
|----------|--------|--------|
| 安全存储 | ✅/⚠️/❌ | X 个问题 |
| 身份验证 | ✅/⚠️/❌ | X 个问题 |
| 网络安全 | ✅/⚠️/❌ | X 个问题 |
| 平台安全 | ✅/⚠️/❌ | X 个问题 |

---

## 🔴 严重漏洞

暴露用户数据或可能引发攻击的安全问题。

### [问题标题]

**文件**：`path/to/file.swift:123`
**风险**：[如果被利用会发生什么]
**OWASP 类别**：[如适用]

**易受攻击的代码**：
```swift
// 当前不安全的代码

[Critical] [第一个修复]
[Critical] [第二个修复]
[High] [第三个修复] ...

优先级分类

🔴 严重
- 凭证以明文或存储在 UserDefaults 中
- 禁用了 SSL/TLS 验证
- 硬编码的密钥或 API 密钥
- SQL 注入或代码注入漏洞
- 敏感操作缺少身份验证
🟠 高
- Keychain 没有适当的访问控制
- 敏感数据缺少生物识别认证
- 弱加密实现
- 过于宽松的权限
- 日志中包含敏感数据
🟡 中
- 缺少证书固定
- 生物识别备用机制过于宽松
- 数据保护类可以更强
- 缺少越狱/完整性检测
🟢 低/建议
- 额外的加固措施
- 纵深防御改进
- 为清晰安全而进行的代码组织
快速检查

不安全存储检测
```
Grep: "UserDefaults.*password|UserDefaults.*token|UserDefaults.*secret|UserDefaults.*apiKey"
Grep: "\.write\(.*credential|\.write\(.*password"
Grep: "let.*apiKey.*=.*\"|let.*secret.*=.*\""
```

🇺🇸English

Security Review for Apple Platforms

Comprehensive security guidance for iOS, macOS, and watchOS applications. Reviews code for vulnerabilities and provides secure implementation patterns.

When This Skill Activates

Use this skill when the user:

Asks for "security review" or "security audit"
Wants to implement "secure storage" or "Keychain"
Needs "Face ID", "Touch ID", or "biometric authentication"
Asks about "certificate pinning" or "network security"
Mentions "Data Protection" or "encryption"
Wants to store "sensitive data", "credentials", or "tokens"
Asks about "Secure Enclave" or hardware security

Review Process

Phase 1: Project Discovery

Identify the app's security surface:

# Find security-related code
Grep: "SecItem|Keychain|kSecClass"
Grep: "LAContext|biometryType|evaluatePolicy"
Grep: "URLSession|ATS|NSAppTransportSecurity"
Grep: "CryptoKit|SecKey|CC_SHA"

Determine:

Platform (iOS, macOS, watchOS, or multi-platform)
Sensitive data types (credentials, health data, financial, PII)
Authentication methods in use
Network communication patterns

Phase 2: Secure Storage Review

Load and apply: secure-storage.md

Key areas:

Keychain usage patterns
Data Protection classes
Secure Enclave for keys
Avoiding insecure storage (UserDefaults, files)

Phase 3: Authentication Review

Load and apply: biometric-auth.md

Key areas:

Face ID / Touch ID implementation
Fallback mechanisms
LAContext configuration
Keychain integration with biometrics

Phase 4: Network Security Review

Load and apply: network-security.md

Key areas:

App Transport Security configuration
Certificate pinning
TLS best practices
Secure API communication

Phase 5: Platform-Specific Review

Load and apply: platform-specifics.md

Key areas:

iOS: Data Protection, App Groups, Keychain sharing
macOS: Sandbox, Hardened Runtime, Keychain access
watchOS: Health data, Watch Connectivity security

Output Format

Present findings in this structure:

# Security Review: [App Name]

**Platform**: iOS / macOS / watchOS / Universal
**Review Date**: [Date]
**Risk Level**: Critical / High / Medium / Low

## Summary

| Category | Status | Issues |
|----------|--------|--------|
| Secure Storage | ✅/⚠️/❌ | X issues |
| Authentication | ✅/⚠️/❌ | X issues |
| Network Security | ✅/⚠️/❌ | X issues |
| Platform Security | ✅/⚠️/❌ | X issues |

---

## 🔴 Critical Vulnerabilities

Security issues that expose user data or enable attacks.

### [Issue Title]

**File**: `path/to/file.swift:123`
**Risk**: [What could happen if exploited]
**OWASP Category**: [If applicable]

**Vulnerable Code**:
```swift
// current insecure code

Secure Implementation :

// fixed secure code

🟠 High Priority Issues

Issues that weaken security posture.

[Same format as above]

🟡 Medium Priority Issues

Issues that should be addressed for defense in depth.

[Same format as above]

🟢 Recommendations

Security hardening suggestions.

[Same format as above]

✅ Security Strengths

What the app does well:

[Strength 1]
[Strength 2]

Action Plan

[Critical] [First fix]
[Critical] [Second fix]
[High] [Third fix] ...

## Priority Classification

### 🔴 Critical
- Credentials stored in plain text or UserDefaults
- Disabled SSL/TLS validation
- Hardcoded secrets or API keys
- SQL injection or code injection vulnerabilities
- Missing authentication on sensitive operations

### 🟠 High
- Keychain without appropriate access controls
- Missing biometric authentication for sensitive data
- Weak cryptographic implementations
- Overly permissive entitlements
- Sensitive data in logs

### 🟡 Medium
- Missing certificate pinning
- Biometric fallback too permissive
- Data Protection class could be stronger
- Missing jailbreak/integrity detection

### 🟢 Low/Recommendations
- Additional hardening measures
- Defense in depth improvements
- Code organization for security clarity

## Quick Checks

### Insecure Storage Detection
```bash
Grep: "UserDefaults.*password|UserDefaults.*token|UserDefaults.*secret|UserDefaults.*apiKey"
Grep: "\.write\(.*credential|\.write\(.*password"
Grep: "let.*apiKey.*=.*\"|let.*secret.*=.*\""

Insecure Network Detection

Grep: "http://(?!localhost|127\.0\.0\.1)"
Grep: "AllowsArbitraryLoads.*true"
Grep: "serverTrust|URLAuthenticationChallenge.*useCredential"

Sensitive Data in Logs

Grep: "print\(.*password|print\(.*token|NSLog.*credential"
Grep: "Logger.*password|os_log.*secret"

References

secure-storage.md - Keychain, Data Protection, Secure Enclave
biometric-auth.md - Face ID, Touch ID, LAContext
network-security.md - ATS, certificate pinning, TLS
platform-specifics.md - iOS vs macOS vs watchOS

External Resources

Weekly Installs

Repository

rshankras/claud…e-skills

GitHub Stars

115

First Seen

Jan 25, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykPass

Installed on

gemini-cli82

codex82

opencode82

github-copilot80

amp78

kimi-cli77

Apple平台安全审查指南：iOS/macOS/watchOS应用漏洞检测与安全实现

🇨🇳中文介绍

Apple 平台安全审查

此技能何时激活

审查流程

阶段 1：项目发现

阶段 2：安全存储审查

阶段 3：身份验证审查

相关 Skills

阶段 4：网络安全审查

阶段 5：平台特定审查

输出格式

🟠 高优先级问题

🟡 中优先级问题

🟢 建议

✅ 安全优势

行动计划

优先级分类

🔴 严重

🟠 高

🟡 中

🟢 低/建议

快速检查

不安全存储检测

不安全网络检测

日志中的敏感数据

参考资料

外部资源

🇺🇸English

Security Review for Apple Platforms

When This Skill Activates

Review Process

Phase 1: Project Discovery

Phase 2: Secure Storage Review

Phase 3: Authentication Review

Phase 4: Network Security Review

Phase 5: Platform-Specific Review

Output Format

🟠 High Priority Issues

🟡 Medium Priority Issues

🟢 Recommendations

✅ Security Strengths

Action Plan

Insecure Network Detection

Sensitive Data in Logs

References

External Resources

最新 Skills