owasp-mobile-security-checker

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

OWASP Mobile Security Checker

OWASP移动应用安全检查工具

Comprehensive security analysis tool for Flutter and mobile applications based on the OWASP Mobile Top 10 (2024) guidelines.

基于OWASP移动应用Top 10（2024版）指南的Flutter及移动应用全面安全分析工具。

Overview

概述

This skill enables thorough security auditing of Flutter mobile applications by identifying vulnerabilities across all ten OWASP Mobile Top 10 risk categories. It combines automated scanning scripts with manual analysis guidelines to provide comprehensive security assessments and actionable remediation plans.

该技能可通过识别OWASP移动应用Top10所有风险类别的漏洞，对Flutter移动应用进行全面安全审计。它结合自动化扫描脚本与人工分析指南，提供全面的安全评估及可执行的修复方案。

Core Capabilities

核心功能

1. Automated Vulnerability Scanning

1. 自动化漏洞扫描

Run Python-based scanners to detect common security issues:

运行基于Python的扫描器检测常见安全问题：

M1 - Hardcoded Secrets Scanner**

M1 - 硬编码密钥扫描器**

bash

python3 scripts/scan_hardcoded_secrets.py /path/to/project

Detects API keys, tokens, passwords, AWS credentials, Firebase keys, and other hardcoded secrets in Dart code and configuration files.

bash

python3 scripts/scan_hardcoded_secrets.py /path/to/project

检测Dart代码和配置文件中的API密钥、令牌、密码、AWS凭证、Firebase密钥及其他硬编码机密信息。

M2 - Dependency Security Checker**

M2 - 依赖安全检查器**

bash

python3 scripts/check_dependencies.py /path/to/project

Analyzes

pubspec.yaml

for outdated packages, insecure version constraints (

any

), and known vulnerabilities.

bash

python3 scripts/check_dependencies.py /path/to/project

分析

pubspec.yaml

中的过期包、不安全版本约束（

any

）及已知漏洞。

M5 - Network Security Validator**

M5 - 网络安全验证器**

bash

python3 scripts/check_network_security.py /path/to/project

Checks for HTTP vs HTTPS usage, certificate pinning, Android Network Security Config, and iOS App Transport Security settings.

bash

python3 scripts/check_network_security.py /path/to/project

检查HTTP与HTTPS使用情况、证书固定、Android网络安全配置及iOS App Transport Security设置。

M9 - Storage Security Analyzer**

M9 - 存储安全分析器**

bash

python3 scripts/analyze_storage_security.py /path/to/project

Identifies unencrypted SharedPreferences usage, plaintext file storage, unencrypted databases, and insecure backup configurations.

bash

python3 scripts/analyze_storage_security.py /path/to/project

识别未加密的SharedPreferences使用、明文文件存储、未加密数据库及不安全的备份配置。

2. Manual Security Analysis

2. 人工安全分析

For risks requiring code review and architectural assessment:

M3 (Authentication/Authorization): Evaluate token management, MFA, biometrics, and session handling
M4 (Input/Output Validation): Check input sanitization, parameterized queries, and injection prevention
M6 (Privacy Controls): Review permissions, PII handling, consent mechanisms, and data minimization
M7 (Binary Protections): Verify obfuscation, root detection, and anti-debugging measures
M8 (Security Misconfiguration): Inspect debug flags, logging, and platform configurations
M10 (Cryptography): Validate algorithm choices, key management, and encryption modes

针对需要代码审查和架构评估的风险：

M3（身份验证/授权）：评估令牌管理、多因素认证（MFA）、生物识别及会话处理
M4（输入/输出验证）：检查输入清理、参数化查询及注入防护
M6（隐私控制）：审查权限、个人可识别信息（PII）处理、同意机制及数据最小化
M7（二进制保护）：验证混淆、root检测及反调试措施
M8（安全配置错误）：检查调试标志、日志记录及平台配置
M10（加密）：验证算法选择、密钥管理及加密模式

3. Comprehensive Security Reports

3. 全面安全报告

Generate detailed reports with:

Severity-based prioritization (CRITICAL → HIGH → MEDIUM → LOW)
Flutter-specific code examples (insecure vs secure patterns)
Actionable remediation steps with implementation guidance
OWASP Mobile Top 10 risk categorization

生成包含以下内容的详细报告：

基于严重程度的优先级划分（CRITICAL → HIGH → MEDIUM → LOW）
Flutter特定代码示例（不安全 vs 安全模式）
带有实施指导的可执行修复步骤
OWASP移动应用Top10风险分类

Workflow Decision Tree

工作流决策树

Start here to determine your approach:

text

Is this a comprehensive security audit?
├─ YES → Run all 4 automated scanners → Review results → Perform manual analysis → Generate report
└─ NO → Continue...

Is this for a specific OWASP risk category?
├─ M1 (Credentials) → Run scan_hardcoded_secrets.py → Review findings
├─ M2 (Dependencies) → Run check_dependencies.py → Update packages
├─ M5 (Network) → Run check_network_security.py → Implement certificate pinning
├─ M9 (Storage) → Run analyze_storage_security.py → Use encrypted storage
└─ Other (M3/M4/M6/M7/M8/M10) → Load reference docs → Perform manual analysis

Is this a quick security check before release?
└─ YES → Run all automated scanners → Focus on CRITICAL/HIGH findings → Fix blockers

从此处开始确定你的处理方式：

text

这是全面安全审计吗？
├─ 是 → 运行所有4个自动化扫描器 → 审查结果 → 执行人工分析 → 生成报告
└─ 否 → 继续...

这是针对特定OWASP风险类别的检查吗？
├─ M1（凭证） → 运行scan_hardcoded_secrets.py → 审查发现的问题
├─ M2（依赖） → 运行check_dependencies.py → 更新包
├─ M5（网络） → 运行check_network_security.py → 实施证书固定
├─ M9（存储） → 运行analyze_storage_security.py → 使用加密存储
└─ 其他（M3/M4/M6/M7/M8/M10） → 加载参考文档 → 执行人工分析

这是发布前的快速安全检查吗？
└─ 是 → 运行所有自动化扫描器 → 重点关注CRITICAL/HIGH级别的问题 → 修复阻塞性问题

Quick Start: Comprehensive Audit

快速开始：全面审计

Perform a complete OWASP security audit:

Run automated scans (from project root):

bash

python3 .claude/skills/owasp-mobile-security-checker/scripts/scan_hardcoded_secrets.py .
python3 .claude/skills/owasp-mobile-security-checker/scripts/check_dependencies.py .
python3 .claude/skills/owasp-mobile-security-checker/scripts/analyze_storage_security.py .
python3 .claude/skills/owasp-mobile-security-checker/scripts/check_network_security.py .

Review JSON outputs:

```
owasp_m1_secrets_scan.json
```
```
owasp_m2_dependencies_scan.json
```
```
owasp_m5_network_scan.json
```
```
owasp_m9_storage_scan.json
```

Prioritize by severity: Address CRITICAL and HIGH findings first
Load reference documentation for detailed information:
text
```
Read references/owasp_mobile_top_10_2024.md
```
Perform manual analysis for remaining risks (M3, M4, M6, M7, M8, M10)
Generate remediation plan with code examples and timeline

执行完整的OWASP安全审计：

运行自动化扫描（从项目根目录执行）：

bash

python3 .claude/skills/owasp-mobile-security-checker/scripts/scan_hardcoded_secrets.py .
python3 .claude/skills/owasp-mobile-security-checker/scripts/check_dependencies.py .
python3 .claude/skills/owasp-mobile-security-checker/scripts/analyze_storage_security.py .
python3 .claude/skills/owasp-mobile-security-checker/scripts/check_network_security.py .

审查JSON输出结果：

```
owasp_m1_secrets_scan.json
```
```
owasp_m2_dependencies_scan.json
```
```
owasp_m5_network_scan.json
```
```
owasp_m9_storage_scan.json
```

按严重程度优先级处理：先解决CRITICAL和HIGH级别的问题

加载参考文档获取详细信息：

text

阅读references/owasp_mobile_top_10_2024.md

对剩余风险执行人工分析（M3、M4、M6、M7、M8、M10）
生成修复计划，包含代码示例和时间线

Manual Analysis Guidelines

人工分析指南

M3: Authentication & Authorization

M3：身份验证与授权

What to check:

Token storage using
```
flutter_secure_storage
```
(not SharedPreferences)
Token expiration and refresh mechanisms
Multi-factor authentication implementation
Server-side authorization enforcement

Code patterns to find:

dart

// Search for: SharedPreferences + setString with 'token', 'auth', 'password'
// Flag: Plaintext credential storage

// Verify: FlutterSecureStorage usage for sensitive data
// Check: Token expiration logic exists

检查内容：

使用
```
flutter_secure_storage
```
存储令牌（而非SharedPreferences）
令牌过期和刷新机制
多因素认证的实现
服务器端授权强制执行

需要查找的代码模式：

dart

// 搜索：SharedPreferences + setString 搭配 'token', 'auth', 'password'
// 标记：明文凭证存储

// 验证：FlutterSecureStorage用于存储敏感数据
// 检查：存在令牌过期逻辑

M4: Input/Output Validation

M4：输入/输出验证

What to check:

Input validation on all user inputs (forms, URLs, file paths)
Parameterized database queries (no string interpolation)
Output encoding in WebViews
API response validation

Code patterns to find:

dart

// Search for: rawQuery, rawInsert with string interpolation ($)
// Flag: SQL injection vulnerability

// Search for: WebView without proper sanitization
// Flag: XSS vulnerability

检查内容：

所有用户输入（表单、URL、文件路径）的输入验证
参数化数据库查询（无字符串插值）
WebViews中的输出编码
API响应验证

需要查找的代码模式：

dart

// 搜索：rawQuery, rawInsert 搭配字符串插值 ($)
// 标记：SQL注入漏洞

// 搜索：未进行适当清理的WebView
// 标记：XSS漏洞

M6: Privacy Controls

M6：隐私控制

What to check:

Minimal permission requests (only necessary)
No PII in analytics events or logs
Consent mechanisms for data collection
Proper anonymization/pseudonymization

Code patterns to find:

dart

// Search for: FirebaseAnalytics.logEvent with email, phone, name
// Flag: PII in analytics

// Search for: print(), log() with user data
// Flag: PII in logs

检查内容：

最小权限请求（仅请求必要权限）
分析事件或日志中不包含PII
数据收集的同意机制
适当的匿名化/伪匿名化

需要查找的代码模式：

dart

// 搜索：FirebaseAnalytics.logEvent 搭配 email, phone, name
// 标记：分析中包含PII

// 搜索：print(), log() 搭配用户数据
// 标记：日志中包含PII

M7: Binary Protections

M7：二进制保护

What to verify:

bash

undefined

需要验证的内容：

bash

undefined

Check build commands use obfuscation:

检查构建命令是否使用混淆：

flutter build apk --release --obfuscate --split-debug-info=./debug-info

Search for root detection packages:

搜索root检测包：

grep -r "flutter_jailbreak_detection" pubspec.yaml grep -r "root_detector" pubspec.yaml

Verify debug mode checks:

验证调试模式检查：

grep -r "kDebugMode" lib/

undefined

grep -r "kDebugMode" lib/

undefined

M8: Security Misconfiguration

M8：安全配置错误

What to check:

Debug flags disabled in production
Logging levels appropriate for release
Minimal platform permissions in manifests
No development endpoints in production code

Code patterns to find:

dart

// Flag: Debug code that executes in release builds
if (kDebugMode) { print("..."); } // This compiles in release!

// Preferred: assert(() { debugPrint("..."); return true; }());

检查内容：

生产环境中禁用调试标志
日志级别适合发布版本
清单文件中权限最小化
生产代码中无开发端点

需要查找的代码模式：

dart

// 标记：在发布版本中执行的调试代码
if (kDebugMode) { print("..."); } // 这段代码会在发布版本中编译！

// 推荐写法：assert(() { debugPrint("..."); return true; }());

M10: Cryptography

M10：加密

What to check:

Strong algorithms (AES-256 GCM, not MD5/SHA1)
Secure key storage (Keystore/Keychain, not hardcoded)
Proper encryption modes (GCM, not ECB)
Cryptographically secure RNG (Random.secure())

Code patterns to find:

dart

// Search for: md5, sha1, des (weak algorithms)
// Search for: AESMode.ecb (insecure mode)
// Search for: 'encryption_key', 'secret_key' (hardcoded keys)

检查内容：

强算法（AES-256 GCM，而非MD5/SHA1）
安全密钥存储（Keystore/Keychain，而非硬编码）
适当的加密模式（GCM，而非ECB）
加密安全的随机数生成器（Random.secure()）

需要查找的代码模式：

dart

// 搜索：md5, sha1, des（弱算法）
// 搜索：AESMode.ecb（不安全模式）
// 搜索：'encryption_key', 'secret_key'（硬编码密钥）

Understanding Scan Results

理解扫描结果

Severity Levels

严重程度级别

CRITICAL: Immediate security risk requiring urgent action
- Examples: Disabled certificate validation, exposed production credentials
- Action: Fix immediately, do not release
HIGH: Significant vulnerability requiring prompt remediation
- Examples: Hardcoded API keys, unencrypted sensitive storage
- Action: Fix before release
MEDIUM: Security concern that should be addressed
- Examples: Missing certificate pinning, outdated dependencies
- Action: Plan remediation, fix in next sprint
LOW: Best practice or minor improvement
- Examples: Verbose logging, local networking allowed
- Action: Address as time permits

CRITICAL（关键）：需要紧急处理的直接安全风险
- 示例：禁用证书验证、暴露生产环境凭证
- 操作：立即修复，禁止发布
HIGH（高）：需要及时修复的严重漏洞
- 示例：硬编码API密钥、未加密敏感存储
- 操作：发布前修复
MEDIUM（中）：需要解决的安全问题
- 示例：缺少证书固定、过期依赖
- 操作：规划修复，在下一个迭代中解决
LOW（低）：最佳实践或微小改进
- 示例：详细日志记录、允许本地网络
- 操作：在时间允许时解决

Common False Positives

常见误报

Be aware of legitimate cases that may trigger findings:

M1: Test/example API keys, environment placeholders (
```
YOUR_API_KEY
```
)
M5: HTTP for localhost/127.0.0.1 during development
M9: Non-sensitive data in SharedPreferences (user preferences)
M2: Development dependencies (linters, test tools)

Always verify findings in context before flagging as vulnerabilities.

注意可能触发检测的合法情况：

M1：测试/示例API密钥、环境占位符（
```
YOUR_API_KEY
```
）
M5：开发过程中针对localhost/127.0.0.1使用HTTP
M9：SharedPreferences中存储非敏感数据（用户偏好设置）
M2：开发依赖（代码检查工具、测试工具）

在标记为漏洞前，务必结合上下文验证发现的问题。

Reference Documentation

参考文档

The

references/owasp_mobile_top_10_2024.md

file provides:

Detailed explanations of each OWASP Mobile Top 10 risk
Real-world attack scenarios and examples
Flutter-specific vulnerability patterns
Complete mitigation strategies
Secure vs insecure code examples
Platform-specific considerations (Android/iOS)

When to load this reference:

Need deep understanding of a specific risk category
Creating detailed remediation documentation
Explaining vulnerabilities to stakeholders
Looking for Flutter-specific code patterns
Researching platform-specific security configurations

references/owasp_mobile_top_10_2024.md

文件包含：

每个OWASP移动应用Top10风险的详细解释
真实攻击场景和示例
Flutter特定的漏洞模式
完整的缓解策略
安全与不安全代码示例
平台特定注意事项（Android/iOS）

何时加载此参考文档：

需要深入理解特定风险类别
创建详细的修复文档
向利益相关者解释漏洞
查找Flutter特定的代码模式
研究平台特定的安全配置

Example: Targeted Security Fix

示例：针对性安全修复

Scenario: Found HIGH severity finding for hardcoded API key

Locate the issue:

text

File: lib/services/api_client.dart:15
Issue: Hardcoded API key
Code: const String apiKey = "sk_live_ABC123...";

Understand the risk: Load
```
references/owasp_mobile_top_10_2024.md
```
and review M1 section

Implement fix:

dart

// Before (INSECURE):
const String apiKey = "sk_live_ABC123...";

// After (SECURE):
final secureStorage = FlutterSecureStorage();
String? apiKey = await secureStorage.read(key: 'api_key');
// Key injected at build time or fetched from secure backend

Verify fix: Re-run
```
scan_hardcoded_secrets.py
```
to confirm issue resolved
Document: Update security review with remediation details

场景：发现高严重程度的硬编码API密钥问题

定位问题：

text

文件：lib/services/api_client.dart:15
问题：硬编码API密钥
代码：const String apiKey = "sk_live_ABC123...";

理解风险：加载
```
references/owasp_mobile_top_10_2024.md
```
并查看M1部分

实施修复：

dart

// 修复前（不安全）：
const String apiKey = "sk_live_ABC123...";

// 修复后（安全）：
final secureStorage = FlutterSecureStorage();
String? apiKey = await secureStorage.read(key: 'api_key');
// 密钥在构建时注入或从安全后端获取

验证修复：重新运行
```
scan_hardcoded_secrets.py
```
确认问题已解决
文档记录：更新安全审查记录，添加修复细节

Best Practices

最佳实践

For Development Teams:

Run automated scans in CI/CD pipeline on every PR
Establish security gates (no CRITICAL findings in production)
Conduct quarterly comprehensive security audits
Maintain security backlog and track remediation

For Security Auditors:

Combine automated scans with manual code review
Test fixes to ensure they don't break functionality
Document security exceptions with business justification
Provide training on secure coding practices

For All Users:

Keep scan scripts updated with latest patterns
Share findings and recommendations with team
Integrate security early in development cycle
Treat OWASP compliance as ongoing, not one-time

针对开发团队：

在CI/CD流水线中对每个PR运行自动化扫描
建立安全门限（生产环境中不允许存在CRITICAL级别的问题）
每季度进行一次全面安全审计
维护安全待办事项并跟踪修复进度

针对安全审计人员：

将自动化扫描与人工代码审查相结合
测试修复以确保不破坏功能
记录带有业务理由的安全例外情况
提供安全编码实践培训

针对所有用户：

保持扫描脚本更新至最新模式
与团队共享发现的问题和建议
在开发周期早期集成安全措施
将OWASP合规视为持续过程，而非一次性任务

Integration Points

集成点

Recommended workflow integration:

Pre-commit: Lightweight secret scanning
Pull Requests: Automated scans with security report comment
Release Builds: Comprehensive audit including manual analysis
Production: Continuous monitoring and periodic reviews
Incident Response: Targeted scans when vulnerabilities reported

推荐的工作流集成：

提交前：轻量级密钥扫描
拉取请求：自动化扫描并添加安全报告评论
发布构建：包括人工分析的全面审计
生产环境：持续监控和定期审查
事件响应：漏洞报告时进行针对性扫描

Additional Resources

额外资源

This skill references authoritative sources:

OWASP Mobile Top 10 Project (2024)
Flutter Security Best Practices
Android Security Guidelines (Keystore, Network Security Config)
iOS Security Guide (Keychain, App Transport Security)
Platform-specific documentation and security research

该技能参考以下权威来源：

OWASP移动应用Top10项目（2024版）
Flutter安全最佳实践
Android安全指南（Keystore、网络安全配置）
iOS安全指南（Keychain、App Transport Security）
平台特定文档和安全研究