Back to Details

security

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Security Review for Apple Platforms

Apple平台应用安全审查

Comprehensive security guidance for iOS, macOS, and watchOS applications. Reviews code for vulnerabilities and provides secure implementation patterns.
针对iOS、macOS和watchOS应用的全面安全指导。审查代码中的漏洞并提供安全的实现模式。

When This Skill Activates

技能触发场景

Use this skill when the user:
  • Asks for "security review" or "security audit"
  • Wants to implement "secure storage" or "Keychain"
  • Needs "Face ID", "Touch ID", or "biometric authentication"
  • Asks about "certificate pinning" or "network security"
  • Mentions "Data Protection" or "encryption"
  • Wants to store "sensitive data", "credentials", or "tokens"
  • Asks about "Secure Enclave" or hardware security
当用户有以下需求时,可使用本技能:
  • 询问“安全审查”或“安全审计”相关内容
  • 希望实现“安全存储”或使用“Keychain”
  • 需要集成“Face ID”、“Touch ID”或“生物特征认证”
  • 询问“证书固定”或“网络安全”相关问题
  • 提及“数据保护”或“加密”
  • 想要存储“敏感数据”、“凭证”或“令牌”
  • 询问“Secure Enclave”或硬件安全相关内容

Review Process

审查流程

Phase 1: Project Discovery

阶段1:项目调研

Identify the app's security surface:
bash
undefined
识别应用的安全范围:
bash
undefined

Find security-related code

查找安全相关代码

Grep: "SecItem|Keychain|kSecClass" Grep: "LAContext|biometryType|evaluatePolicy" Grep: "URLSession|ATS|NSAppTransportSecurity" Grep: "CryptoKit|SecKey|CC_SHA"

Determine:
- Platform (iOS, macOS, watchOS, or multi-platform)
- Sensitive data types (credentials, health data, financial, PII)
- Authentication methods in use
- Network communication patterns
Grep: "SecItem|Keychain|kSecClass" Grep: "LAContext|biometryType|evaluatePolicy" Grep: "URLSession|ATS|NSAppTransportSecurity" Grep: "CryptoKit|SecKey|CC_SHA"

确定以下信息:
- 平台(iOS、macOS、watchOS或跨平台)
- 敏感数据类型(凭证、健康数据、财务数据、个人身份信息)
- 使用的认证方式
- 网络通信模式

Phase 2: Secure Storage Review

阶段2:安全存储审查

Load and apply: secure-storage.md
Key areas:
  • Keychain usage patterns
  • Data Protection classes
  • Secure Enclave for keys
  • Avoiding insecure storage (UserDefaults, files)
加载并参考:secure-storage.md
核心审查点:
  • Keychain使用模式
  • 数据保护类别
  • 基于Secure Enclave的密钥管理
  • 避免不安全存储方式(UserDefaults、本地文件)

Phase 3: Authentication Review

阶段3:认证机制审查

Load and apply: biometric-auth.md
Key areas:
  • Face ID / Touch ID implementation
  • Fallback mechanisms
  • LAContext configuration
  • Keychain integration with biometrics
加载并参考:biometric-auth.md
核心审查点:
  • Face ID / Touch ID实现
  • fallback机制
  • LAContext配置
  • 生物特征认证与Keychain的集成

Phase 4: Network Security Review

阶段4:网络安全审查

Load and apply: network-security.md
Key areas:
  • App Transport Security configuration
  • Certificate pinning
  • TLS best practices
  • Secure API communication
加载并参考:network-security.md
核心审查点:
  • App Transport Security配置
  • 证书固定
  • TLS最佳实践
  • 安全API通信

Phase 5: Platform-Specific Review

阶段5:平台特定安全审查

Load and apply: platform-specifics.md
Key areas:
  • iOS: Data Protection, App Groups, Keychain sharing
  • macOS: Sandbox, Hardened Runtime, Keychain access
  • watchOS: Health data, Watch Connectivity security
加载并参考:platform-specifics.md
核心审查点:
  • iOS:数据保护、App Groups、Keychain共享
  • macOS:沙箱、强化运行时、Keychain访问控制
  • watchOS:健康数据、Watch Connectivity安全

Output Format

输出格式

Present findings in this structure:
markdown
undefined
按照以下结构呈现审查结果:
markdown
undefined

Security Review: [App Name]

安全审查报告:[应用名称]

Platform: iOS / macOS / watchOS / Universal Review Date: [Date] Risk Level: Critical / High / Medium / Low
平台:iOS / macOS / watchOS / 跨平台 审查日期:[日期] 风险等级:严重 / 高 / 中 / 低

Summary

摘要

CategoryStatusIssues
Secure Storage✅/⚠️/❌X issues
Authentication✅/⚠️/❌X issues
Network Security✅/⚠️/❌X issues
Platform Security✅/⚠️/❌X issues
类别状态问题数量
安全存储✅/⚠️/❌X个问题
认证机制✅/⚠️/❌X个问题
网络安全✅/⚠️/❌X个问题
平台安全✅/⚠️/❌X个问题

🔴 Critical Vulnerabilities

🔴 严重漏洞

Security issues that expose user data or enable attacks.
可能导致用户数据泄露或被攻击的安全问题。

[Issue Title]

[问题标题]

File: 
path/to/file.swift:123
Risk: [What could happen if exploited] OWASP Category: [If applicable]
Vulnerable Code:
swift
// current insecure code
Secure Implementation:
swift
// fixed secure code
文件
path/to/file.swift:123
风险:[被利用后可能造成的后果] OWASP类别:[如适用]
存在漏洞的代码:
swift
// 当前不安全的代码
安全实现方案:
swift
// 修复后的安全代码

🟠 High Priority Issues

🟠 高优先级问题

Issues that weaken security posture.
[Same format as above]
会削弱安全防护能力的问题。
[格式同上]

🟡 Medium Priority Issues

🟡 中优先级问题

Issues that should be addressed for defense in depth.
[Same format as above]
为了深度防御需要解决的问题。
[格式同上]

🟢 Recommendations

🟢 建议项

Security hardening suggestions.
[Same format as above]
安全加固建议。
[格式同上]

✅ Security Strengths

✅ 安全优势

What the app does well:
  • [Strength 1]
  • [Strength 2]
应用做得好的地方:
  • [优势1]
  • [优势2]

Action Plan

行动计划

  1. [Critical] [First fix]
  2. [Critical] [Second fix]
  3. [High] [Third fix] ...
undefined
  1. [严重] [首要修复项]
  2. [严重] [次要修复项]
  3. [高] [第三项修复] ...
undefined

Priority Classification

优先级分类

🔴 Critical

🔴 严重

  • Credentials stored in plain text or UserDefaults
  • Disabled SSL/TLS validation
  • Hardcoded secrets or API keys
  • SQL injection or code injection vulnerabilities
  • Missing authentication on sensitive operations
  • 凭证以明文或存储在UserDefaults中
  • 禁用SSL/TLS验证
  • 硬编码密钥或API密钥
  • SQL注入或代码注入漏洞
  • 敏感操作缺少认证

🟠 High

🟠 高

  • Keychain without appropriate access controls
  • Missing biometric authentication for sensitive data
  • Weak cryptographic implementations
  • Overly permissive entitlements
  • Sensitive data in logs
  • Keychain未设置适当的访问控制
  • 敏感数据未启用生物特征认证
  • 弱加密实现
  • 权限过于宽松
  • 日志中包含敏感数据

🟡 Medium

🟡 中

  • Missing certificate pinning
  • Biometric fallback too permissive
  • Data Protection class could be stronger
  • Missing jailbreak/integrity detection
  • 未启用证书固定
  • 生物特征认证fallback机制过于宽松
  • 数据保护类别可进一步强化
  • 缺少越狱/完整性检测

🟢 Low/Recommendations

🟢 低/建议项

  • Additional hardening measures
  • Defense in depth improvements
  • Code organization for security clarity
  • 额外的加固措施
  • 深度防御改进
  • 代码组织优化以提升安全性清晰度

Quick Checks

快速检查

Insecure Storage Detection

不安全存储检测

bash
Grep: "UserDefaults.*password|UserDefaults.*token|UserDefaults.*secret|UserDefaults.*apiKey"
Grep: "\.write\(.*credential|\.write\(.*password"
Grep: "let.*apiKey.*=.*\"|let.*secret.*=.*\""
bash
Grep: "UserDefaults.*password|UserDefaults.*token|UserDefaults.*secret|UserDefaults.*apiKey"
Grep: "\.write\(.*credential|\.write\(.*password"
Grep: "let.*apiKey.*=.*\"|let.*secret.*=.*\""

Insecure Network Detection

不安全网络检测

bash
Grep: "http://(?!localhost|127\.0\.0\.1)"
Grep: "AllowsArbitraryLoads.*true"
Grep: "serverTrust|URLAuthenticationChallenge.*useCredential"
bash
Grep: "http://(?!localhost|127\.0\.0\.1)"
Grep: "AllowsArbitraryLoads.*true"
Grep: "serverTrust|URLAuthenticationChallenge.*useCredential"

Sensitive Data in Logs

日志中的敏感数据检测

bash
Grep: "print\(.*password|print\(.*token|NSLog.*credential"
Grep: "Logger.*password|os_log.*secret"
bash
Grep: "print\(.*password|print\(.*token|NSLog.*credential"
Grep: "Logger.*password|os_log.*secret"

References

参考文档

  • secure-storage.md - Keychain, Data Protection, Secure Enclave
  • biometric-auth.md - Face ID, Touch ID, LAContext
  • network-security.md - ATS, certificate pinning, TLS
  • platform-specifics.md - iOS vs macOS vs watchOS
  • secure-storage.md - Keychain、数据保护、Secure Enclave
  • biometric-auth.md - Face ID、Touch ID、LAContext
  • network-security.md - ATS、证书固定、TLS
  • platform-specifics.md - iOS vs macOS vs watchOS

External Resources

外部资源