Domain 08 / 12
Mobile Apps security audit
Protect on-device data, harden network trust and resist reverse engineering — Android and iOS.
- 41 checks
- Android · iOS · Reverse engineering
What securmyapp checks
Inside the Mobile Apps domain
This is the Mobile Apps domain of securmyapp — the free, open-source, 100% defensive security auditor for Claude Code that runs 598 checks across 12 domains. The Mobile Apps domain applies OWASP MASVS and MASTG to Android and iOS. securmyapp inspects local storage for cleartext data, decompiles to find hardcoded credentials, enforces TLS and certificate pinning, audits exported components and deep links, hardens WebViews, and verifies key storage in the Keystore or Secure Enclave — plus anti-tampering resilience.
Coverage areas
41 atomic checks span these sub-domains.
Storage
SharedPreferences / Keychain / SQLite inspected for cleartext data.
Secrets
No hardcoded keys or credentials in the decompiled binary.
Network
TLS everywhere, certificate pinning, strict hostname verification.
Cryptography
Keys in Keystore / Secure Enclave, no weak algorithms.
Platform
Exported components, deep links / URL schemes, WebView hardening.
Resilience
Anti-tampering and binary-protection checks.
Example checks
A sample of the real checks run in this domain — each mapped to a standard and a fix.
| Check | Severity | Detects | Reference |
|---|---|---|---|
| No hardcoded credentials | Critical | Embedded keys/secrets recovered by decompiling the app. | MASVS-STORAGE-1 · CWE-798 |
| Secure local storage | High | Sensitive data stored in cleartext on the device. | MASVS-STORAGE-1 · MASTG |
| Certificate pinning | High | Missing pinning that allows TLS interception (MITM). | MASVS-NETWORK-2 |
| Hostname/cert verification | High | Trust-all or permissive verifiers enabling trivial MITM. | MASVS-NETWORK-1 · CWE-295 |
| Exported components (Android) | High | Exposed activities/services/receivers/providers. | MASVS-PLATFORM-1 |
| WebView protection | High | Unhardened WebViews bridging XSS/RCE to native code. | MASVS-PLATFORM-2 · CWE-749 |
Vulnerabilities we catch
- Hardcoded API keys and secrets in the mobile binary
- Sensitive data stored in cleartext on the device
- Missing certificate pinning and permissive TLS validation
- Exported Android components exposed to other apps
- Unvalidated deep links and unhardened WebViews
- Cryptographic keys stored outside the Keystore / Secure Enclave
How remediation works and standards
Detect → explain → fix → verify
How remediation works here
Every finding in this domain is explained in plain language with its reference, fixed with a concrete change to the exact file and line, committed as a reversible Git commit, then re-checked in a real browser against a healthy baseline — so a security fix never breaks your app.
Standards behind this domain
Mapped to recognized references
- OWASP WSTG
- OWASP ASVS 5.0
- OWASP API Top 10
- OWASP MASVS 2.1
- CIS Benchmarks
- MITRE ATT&CK
- CWE
FAQ
Mobile Apps — questions & answers
Does it cover both Android and iOS?
Yes. Checks map to OWASP MASVS 2.1 and MASTG across storage, network, cryptography, platform interaction and resilience, for both Android and iOS.
Can it find secrets hidden inside the app binary?
It decompiles the package and searches for embedded keys and credentials — a Critical finding, since anything shipped in the binary can be extracted.
What about man-in-the-middle protection?
It verifies TLS on all connections, certificate/public-key pinning, and strict hostname verification, flagging trust-all configurations that make interception trivial.
Related domains
Get started
Audit your app in the next five minutes
Clone the skill into ~/.claude/skills/, then ask Claude to audit your app (or type /securmyapp). The full audit starts on its own.
git clone https://github.com/mafady/securmyapp ~/.claude/skills/securmyapp
View on GitHub Browse the domains
New to Claude Code? Follow the step-by-step getting started guide.
Requires Node.js 18+, Claude Code, and a paid Claude subscription. Semgrep & Playwright recommended.