AgentSkillsCN

owasp-mobile-top-10

OWASP隐私风险十大风险——聚焦于Web应用中的隐私保护、检测与修复。适用于应对应用漏洞、数据泄露、安全事件响应、用户同意机制、透明度要求、数据删除、数据质量把控、会话过期、用户访问权限管理,以及过度采集用户数据等场景。

SKILL.md
--- frontmatter
name: owasp-mobile-top-10
description: "OWASP Mobile Top 10 - prevention, detection, and remediation for iOS/Android app security. Use when building or reviewing mobile apps - credentials, supply chain, auth, input/output validation, communication, privacy, binary protection, config, data storage, cryptography."

OWASP Mobile Top 10

This skill encodes the OWASP Mobile Top 10 for secure mobile app design and review. References are loaded per risk (progressive disclosure). Based on OWASP Mobile Top 10 2024.

When to Read Which Reference

RiskRead
M1 Improper Credential Usagereferences/m1-improper-credential-usage.md
M2 Inadequate Supply Chain Securityreferences/m2-supply-chain-security.md
M3 Insecure Authentication/Authorizationreferences/m3-insecure-auth.md
M4 Insufficient Input/Output Validationreferences/m4-input-output-validation.md
M5 Insecure Communicationreferences/m5-insecure-communication.md
M6 Inadequate Privacy Controlsreferences/m6-privacy-controls.md
M7 Insufficient Binary Protectionsreferences/m7-binary-protections.md
M8 Security Misconfigurationreferences/m8-security-misconfiguration.md
M9 Insecure Data Storagereferences/m9-insecure-data-storage.md
M10 Insufficient Cryptographyreferences/m10-insufficient-cryptography.md

Quick Patterns

  • Store credentials and API keys in secure storage (keychain/Keystore); never hardcode. Validate all inputs and encode outputs.
  • Use certificate pinning and TLS for communication; enforce privacy controls and minimal data collection.
  • Harden binary (obfuscation, integrity); use secure defaults and encrypt sensitive data at rest.

Quick Reference / Examples

TaskApproach
Store credentialsUse iOS Keychain or Android Keystore; never hardcode. See M1.
Secure network callsUse TLS 1.2+, implement certificate pinning. See M5.
Validate inputSanitize all user/external input before use. See M4.
Protect local dataEncrypt with platform APIs (EncryptedSharedPreferences, Data Protection). See M9.

Safe - Android Keystore for credentials:

kotlin
val keyStore = KeyStore.getInstance("AndroidKeyStore")
keyStore.load(null)
val secretKey = keyStore.getKey("my_key_alias", null) as SecretKey

Unsafe - hardcoded API key:

kotlin
val API_KEY = "sk-12345abcdef"  // NEVER do this - extract from APK

Certificate pinning (OkHttp):

kotlin
val certificatePinner = CertificatePinner.Builder()
    .add("api.example.com", "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=")
    .build()

Workflow

Load the reference for the risk you are addressing (e.g. credential handling → M1; network → M5; local storage → M9). See OWASP Mobile Top 10 for the official list.