Security & Credentials
You MUST use this skill for ANY keychain, encryption, passkey, app integrity, file protection, or code signing work.
Quick Reference
| Symptom / Task | Reference |
|---|
| Store tokens, passwords, API keys securely | See |
| Choose kSecAttrAccessible level, biometric protection | See |
| SecItem function signatures, attribute constants | See |
| errSecDuplicateItem, errSecItemNotFound, errSecInteractionNotAllowed | See |
| Encrypt data, sign payloads, key management | See |
| Hash functions, HMAC, AES-GCM, ChaChaPoly, ECDSA, EdDSA, key agreement | See |
| Passkey sign-in, WebAuthn, ASAuthorizationController | See |
| App integrity verification, DCAppAttestService | See |
| NSFileProtection levels, data protection at rest | See skills/file-protection-ref.md
|
| Certificate management, provisioning profiles, CI/CD signing | See |
| Certificate not found, profile mismatch, entitlement errors | See skills/code-signing-diag.md
|
| Certificate CLI, profile inspection, entitlement extraction | See skills/code-signing-ref.md
|
Decision Tree
dot
digraph security {
start [label="Security task" shape=ellipse];
what [label="What do you need?" shape=diamond];
start -> what;
what -> "skills/keychain.md" [label="store/retrieve\ncredentials, tokens,\nsecrets"];
what -> "skills/keychain-ref.md" [label="SecItem API syntax,\nattribute constants,\naccess levels"];
what -> "skills/keychain-diag.md" [label="keychain errors\n(errSec codes)"];
what -> "skills/cryptokit.md" [label="encrypt data,\nsign payloads,\nSecure Enclave keys"];
what -> "skills/cryptokit-ref.md" [label="CryptoKit API\n(AES, ECDSA, HPKE,\npost-quantum)"];
what -> "skills/passkeys.md" [label="passkey sign-in,\nreplace passwords"];
what -> "skills/app-attest.md" [label="app integrity,\nfraud prevention"];
what -> "skills/file-protection-ref.md" [label="file encryption,\nNSFileProtection"];
what -> "skills/code-signing.md" [label="set up signing,\nprofiles, CI/CD"];
what -> "skills/code-signing-diag.md" [label="signing errors,\nupload rejections"];
what -> "skills/code-signing-ref.md" [label="CLI commands,\nprofile inspection"];
}
- Store tokens, passwords, API keys securely? →
1a. Need SecItem function signatures, attribute constants? →
1b. Keychain errors (errSecDuplicateItem, errSecItemNotFound)? →
- Encrypt data, sign payloads, manage keys? →
2a. Need CryptoKit API details (AES-GCM, ECDSA, HPKE, post-quantum)? →
- Implement passkey sign-in, replace passwords? →
- Verify app integrity, prevent fraud? →
- File encryption at rest, NSFileProtection levels? →
skills/file-protection-ref.md
- Set up code signing, manage certificates, CI/CD? →
6a. Code signing error troubleshooting? →
skills/code-signing-diag.md
skills/code-signing-ref.md
- Build/upload failures after signing? → See axiom-build
- App Store submission prep? →
- Privacy manifests, tracking transparency? → See axiom-integration
- Data persistence (SwiftData, Core Data, storage strategy)? →
- TLS configuration, certificate pinning for network requests? →
- Want automated security scan? → security-privacy-scanner (Agent)
Conflict Resolution
security vs axiom-build: When build fails with signing errors:
- Code signing errors (certificate, profile, entitlement) → use security
- Environment issues (Xcode version, simulator, Derived Data) → use axiom-build
- If unsure, check the error message: , , → security
security vs shipping: When preparing for App Store:
- Privacy manifests, submission checklists, rejections → use shipping
- Code signing for distribution, certificate management → use security
security vs axiom-data: When storing sensitive data:
- Tokens, passwords, API keys → use security (keychain)
- User preferences, non-sensitive settings → use axiom-data (UserDefaults/SwiftData)
- File encryption levels for database files → use security (file-protection-ref)
security vs axiom-networking: When securing network communication:
- TLS configuration, certificate pinning → use axiom-networking
- Signing API requests, encrypting payloads → use security (CryptoKit)
Critical Patterns
- SecItem mental model: uniqueness constraints, data protection classes
- Biometric access control (Face ID / Touch ID)
- Keychain sharing between app and extensions
- Background access pitfalls, Mac keychain differences
- Migration from UserDefaults/@AppStorage for sensitive data
- SecItemAdd/CopyMatching/Update/Delete signatures
- Item class attributes, uniqueness constraint rules
- kSecAttrAccessible levels and when each applies
- Access control flags, biometric integration
- Complete error code reference
- errSecDuplicateItem from unexpected uniqueness constraints
- errSecItemNotFound despite item existing (query mismatch)
- errSecInteractionNotAllowed in background contexts
- Access group and entitlement mismatches
- Items disappearing after app updates
- AES-GCM and ChaChaPoly authenticated encryption
- ECDSA/EdDSA digital signatures
- Secure Enclave hardware-backed keys
- Key agreement (ECDH) for end-to-end encryption
- HPKE for modern asymmetric encryption
- Post-quantum algorithms (ML-KEM, ML-DSA)
- CommonCrypto migration path
- Hash functions (SHA-256/384/512, SHA-3), HMAC
- Symmetric encryption (AES-GCM, ChaChaPoly)
- Asymmetric signing (P256, P384, P521, Curve25519, Ed25519)
- Key agreement, key derivation (HKDF)
- Secure Enclave key creation and usage
- Swift Crypto cross-platform parity
- ASAuthorizationController registration and assertion flows
- AutoFill-assisted requests (QuickType bar integration)
- Automatic passkey upgrades for existing users (iOS 18+)
- Combined credential requests (passkey + password + Sign in with Apple)
- Associated domains configuration for WebAuthn
- DCAppAttestService attestation and assertion flows
- Server-side validation of attestation objects
- DeviceCheck 2-bit per-device state
- Gradual rollout strategies for large install bases
- Handling unsupported devices gracefully
File Protection (
skills/file-protection-ref.md
):
- NSFileProtection levels (complete, completeUnlessOpen, afterFirstUnlock, none)
- Hardware-accelerated encryption tied to device passcode
- Background file access requirements
- Keychain vs file protection comparison
- Automatic vs manual signing tradeoffs
- Certificate and profile management across teams
- fastlane match for team-wide certificate sharing
- CI/CD signing setup (GitHub Actions, Xcode Cloud)
- Distribution build preparation (App Store, TestFlight, Ad Hoc)
Code Signing Diagnostics (
skills/code-signing-diag.md
):
- Certificate issues (expired, missing, wrong type, revoked)
- Provisioning profile issues (expired, missing cert, wrong App ID)
- Entitlement mismatches (capability in Xcode but not in profile)
- Keychain issues in CI (locked keychain, errSecInternalComponent)
- Archive/export failures (wrong export method, wrong cert type)
Code Signing CLI (
skills/code-signing-ref.md
):
- , for profile inspection
codesign -d --entitlements
- Certificate types, validity periods, per-account limits
- fastlane match commands and Keychain management
Automated Scanning
Security audit → Launch
agent (scans for hardcoded credentials, insecure @AppStorage usage, missing Privacy Manifests, ATS violations, sensitive data in logs)
Anti-Rationalization
| Thought | Reality |
|---|
| "I'll store the token in UserDefaults for now" | UserDefaults is a plist file readable by any process with file access. Keychain takes 10 lines. shows the pattern. |
| "My app doesn't need encryption" | If you store any user data at rest, iOS file protection is free. skills/file-protection-ref.md
|
| "CommonCrypto works fine, no need to migrate" | CommonCrypto is C API with manual memory management and no compile-time safety. CryptoKit prevents buffer overflows and key misuse. |
| "I'll just use automatic signing" | Automatic signing works until CI, team scaling, or capability changes break it. Understand manual signing before you need it. covers both. |
| "Passkeys are too new, passwords are fine" | Passkeys are phishing-resistant and supported since iOS 16. The migration path supports both simultaneously. shows combined flows. |
| "I'll regenerate all certificates to fix this" | Regenerating revokes existing certs and breaks every teammate's build. Diagnose first. skills/code-signing-diag.md
|
| "App Attest is overkill for my app" | If your app has any server-verified purchase, promotion, or competitive feature, tampered clients will exploit it. covers gradual rollout. |
| "I'll use @unchecked Sendable on my crypto wrapper" | Hiding thread-safety issues from the compiler in security code is how data corruption happens. See axiom-concurrency for safe patterns. |
| "kSecAttrAccessibleAlways is fine" | Deprecated since iOS 12. Items are accessible even when device is locked and unencrypted during backup. Use kSecAttrAccessibleAfterFirstUnlock at minimum. |
Example Invocations
User: "How do I store an auth token securely?"
→ Read:
User: "errSecDuplicateItem when saving to keychain"
→ Read:
User: "What are the SecItem attribute constants?"
→ Read:
User: "How do I encrypt user data with AES?"
→ Read:
User: "What's the CryptoKit API for ECDSA signing?"
→ Read:
User: "How do I add passkey sign-in to my app?"
→ Read:
User: "How do I verify my app hasn't been tampered with?"
→ Read:
User: "What NSFileProtection level should I use?"
→ Read:
skills/file-protection-ref.md
User: "My build fails with 'No signing certificate found'"
→ Read:
skills/code-signing-diag.md
User: "How do I set up fastlane match for CI?"
→ Read:
User: "How do I inspect a provisioning profile?"
→ Read:
skills/code-signing-ref.md
User: "Scan my code for security issues"
→ Invoke:
agent