Domain 08 / 12

Mobile Apps security audit

Protect on-device data, harden network trust and resist reverse engineering — Android and iOS.

  • 41 checks
  • Android · iOS · Reverse engineering

Run the audit See example checks

What securmyapp checks

Inside the Mobile Apps domain

This is the Mobile Apps domain of securmyapp — the free, open-source, 100% defensive security auditor for Claude Code that runs 598 checks across 12 domains. The Mobile Apps domain applies OWASP MASVS and MASTG to Android and iOS. securmyapp inspects local storage for cleartext data, decompiles to find hardcoded credentials, enforces TLS and certificate pinning, audits exported components and deep links, hardens WebViews, and verifies key storage in the Keystore or Secure Enclave — plus anti-tampering resilience.

Coverage areas

41 atomic checks span these sub-domains.

  • Storage

    SharedPreferences / Keychain / SQLite inspected for cleartext data.

  • Secrets

    No hardcoded keys or credentials in the decompiled binary.

  • Network

    TLS everywhere, certificate pinning, strict hostname verification.

  • Cryptography

    Keys in Keystore / Secure Enclave, no weak algorithms.

  • Platform

    Exported components, deep links / URL schemes, WebView hardening.

  • Resilience

    Anti-tampering and binary-protection checks.

Example checks

A sample of the real checks run in this domain — each mapped to a standard and a fix.

Example Mobile Apps security checks with severity, what they detect, and their standard reference.
CheckSeverityDetectsReference
No hardcoded credentialsCriticalEmbedded keys/secrets recovered by decompiling the app.MASVS-STORAGE-1 · CWE-798
Secure local storageHighSensitive data stored in cleartext on the device.MASVS-STORAGE-1 · MASTG
Certificate pinningHighMissing pinning that allows TLS interception (MITM).MASVS-NETWORK-2
Hostname/cert verificationHighTrust-all or permissive verifiers enabling trivial MITM.MASVS-NETWORK-1 · CWE-295
Exported components (Android)HighExposed activities/services/receivers/providers.MASVS-PLATFORM-1
WebView protectionHighUnhardened WebViews bridging XSS/RCE to native code.MASVS-PLATFORM-2 · CWE-749

Vulnerabilities we catch

  • Hardcoded API keys and secrets in the mobile binary
  • Sensitive data stored in cleartext on the device
  • Missing certificate pinning and permissive TLS validation
  • Exported Android components exposed to other apps
  • Unvalidated deep links and unhardened WebViews
  • Cryptographic keys stored outside the Keystore / Secure Enclave

How remediation works and standards

Detect → explain → fix → verify

How remediation works here

Every finding in this domain is explained in plain language with its reference, fixed with a concrete change to the exact file and line, committed as a reversible Git commit, then re-checked in a real browser against a healthy baseline — so a security fix never breaks your app.

Standards behind this domain

Mapped to recognized references

  • OWASP WSTG
  • OWASP ASVS 5.0
  • OWASP API Top 10
  • OWASP MASVS 2.1
  • CIS Benchmarks
  • MITRE ATT&CK
  • CWE

FAQ

Mobile Apps — questions & answers

Does it cover both Android and iOS?

Yes. Checks map to OWASP MASVS 2.1 and MASTG across storage, network, cryptography, platform interaction and resilience, for both Android and iOS.

Can it find secrets hidden inside the app binary?

It decompiles the package and searches for embedded keys and credentials — a Critical finding, since anything shipped in the binary can be extracted.

What about man-in-the-middle protection?

It verifies TLS on all connections, certificate/public-key pinning, and strict hostname verification, flagging trust-all configurations that make interception trivial.

Get started

Audit your app in the next five minutes

Clone the skill into ~/.claude/skills/, then ask Claude to audit your app (or type /securmyapp). The full audit starts on its own.

Install — one command
git clone https://github.com/mafady/securmyapp ~/.claude/skills/securmyapp

View on GitHub Browse the domains

New to Claude Code? Follow the step-by-step getting started guide.

Requires Node.js 18+, Claude Code, and a paid Claude subscription. Semgrep & Playwright recommended.