owasp-mobile-top-10

OWASP Mobile Top 10 - prevention, detection, and remediation for iOS/Android app security. Use when building or reviewing mobile apps - credentials, supply chain, auth, input/output validation, communication, privacy, binary protection, config, data storage, cryptography.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "owasp-mobile-top-10" with this command: npx skills add yariv1025/skills/yariv1025-skills-owasp-mobile-top-10

OWASP Mobile Top 10

This skill encodes the OWASP Mobile Top 10 for secure mobile app design and review. References are loaded per risk (progressive disclosure). Based on OWASP Mobile Top 10 2024.

When to Read Which Reference

RiskRead
M1 Improper Credential Usagereferences/m1-improper-credential-usage.md
M2 Inadequate Supply Chain Securityreferences/m2-supply-chain-security.md
M3 Insecure Authentication/Authorizationreferences/m3-insecure-auth.md
M4 Insufficient Input/Output Validationreferences/m4-input-output-validation.md
M5 Insecure Communicationreferences/m5-insecure-communication.md
M6 Inadequate Privacy Controlsreferences/m6-privacy-controls.md
M7 Insufficient Binary Protectionsreferences/m7-binary-protections.md
M8 Security Misconfigurationreferences/m8-security-misconfiguration.md
M9 Insecure Data Storagereferences/m9-insecure-data-storage.md
M10 Insufficient Cryptographyreferences/m10-insufficient-cryptography.md

Quick Patterns

  • Store credentials and API keys in secure storage (keychain/Keystore); never hardcode. Validate all inputs and encode outputs.
  • Use certificate pinning and TLS for communication; enforce privacy controls and minimal data collection.
  • Harden binary (obfuscation, integrity); use secure defaults and encrypt sensitive data at rest.

Quick Reference / Examples

TaskApproach
Store credentialsUse iOS Keychain or Android Keystore; never hardcode. See M1.
Secure network callsUse TLS 1.2+, implement certificate pinning. See M5.
Validate inputSanitize all user/external input before use. See M4.
Protect local dataEncrypt with platform APIs (EncryptedSharedPreferences, Data Protection). See M9.

Safe - Android Keystore for credentials:

val keyStore = KeyStore.getInstance("AndroidKeyStore")
keyStore.load(null)
val secretKey = keyStore.getKey("my_key_alias", null) as SecretKey

Unsafe - hardcoded API key:

val API_KEY = "sk-12345abcdef"  // NEVER do this - extract from APK

Certificate pinning (OkHttp):

val certificatePinner = CertificatePinner.Builder()
    .add("api.example.com", "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=")
    .build()

Workflow

Load the reference for the risk you are addressing (e.g. credential handling → M1; network → M5; local storage → M9). See OWASP Mobile Top 10 for the official list.

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

owasp-api-security-top-10

No summary provided by upstream source.

Repository SourceNeeds Review
7-yariv1025
General

owasp-iot-top-10

No summary provided by upstream source.

Repository SourceNeeds Review
6-yariv1025
General

owasp-privacy-top-10

No summary provided by upstream source.

Repository SourceNeeds Review
5-yariv1025
General

owasp-serverless-top-10

No summary provided by upstream source.

Repository SourceNeeds Review
5-yariv1025