Summary
Four Python scanners that automate the grunt work of mobile security audits: hardcoded secrets, vulnerable dependencies, network config issues, and insecure storage. Each spits out JSON with severity ratings so you can triage before release. The other six OWASP Mobile Top 10 risks need manual review, but you get a reference doc with Flutter-specific vulnerability patterns and code examples. Honest take: this won't replace a real pentest, but it's solid for catching the obvious stuff in CI or before you ship. Works best if you're already familiar with OWASP mobile risks and just need tooling to move faster.
Install to Claude Code
npx -y skills add harishwarrior/flutter-claude-skills --skill owasp-mobile-security-checker --agent claude-codeInstalls into .claude/skills of the current project.
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →
Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →
On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →
Files
SKILL.mdView on GitHub
OWASP Mobile Security Checker
Requirements
- Python 3.7+
- Flutter/Dart project with
pubspec.yaml - Android and/or iOS targets
- Run scripts from the project root directory
Comprehensive security analysis for Flutter and mobile applications based on OWASP Mobile Top 10 (2024).
Automated Scanners
Four Python scanners cover the most automatable risk categories. Replace <skill-dir> with the skill's install path (e.g. ~/.claude/skills/owasp-mobile-security-checker):
M1 — Hardcoded Secrets
python3 <skill-dir>/scripts/scan_hardcoded_secrets.py /path/to/project
Detects API keys, tokens, passwords, AWS credentials, and Firebase keys in Dart code and config files.
M2 — Dependency Vulnerabilities
python3 <skill-dir>/scripts/check_dependencies.py /path/to/project
Analyzes pubspec.yaml for outdated packages, any version constraints, and known CVEs.
M5 — Network Security
python3 <skill-dir>/scripts/check_network_security.py /path/to/project
Checks HTTP vs HTTPS usage, certificate pinning, Android Network Security Config, and iOS ATS settings.
M9 — Insecure Storage
python3 <skill-dir>/scripts/analyze_storage_security.py /path/to/project
Identifies unencrypted SharedPreferences, plaintext file storage, unencrypted databases, and insecure backup configurations.
Manual Analysis
M3, M4, M6, M7, M8, and M10 require code review. See references/owasp_mobile_top_10_2024.md for Flutter-specific vulnerability patterns, attack flows, and remediation for each category.
Workflow
Is this a comprehensive audit?
├─ YES → Run all 4 scanners → Review JSON outputs → Manual analysis (M3/M4/M6/M7/M8/M10) → Generate report
└─ NO → Continue...
Specific risk category?
├─ M1 → scan_hardcoded_secrets.py
├─ M2 → check_dependencies.py
├─ M5 → check_network_security.py
├─ M9 → analyze_storage_security.py
└─ M3/M4/M6/M7/M8/M10 → references/owasp_mobile_top_10_2024.md → manual analysis
Quick pre-release check?
└─ YES → Run all 4 scanners → Fix CRITICAL and HIGH findings only
Quick Start: Full Audit
# Run all automated scanners from the project root
python3 <skill-dir>/scripts/scan_hardcoded_secrets.py .
python3 <skill-dir>/scripts/check_dependencies.py .
python3 <skill-dir>/scripts/check_network_security.py .
python3 <skill-dir>/scripts/analyze_storage_security.py .
# Outputs produced:
# owasp_m1_secrets_scan.json
# owasp_m2_dependencies_scan.json
# owasp_m5_network_scan.json
# owasp_m9_storage_scan.json
- Prioritise by severity — fix CRITICAL and HIGH before release
- For M3, M4, M6, M7, M8, M10 — see
references/owasp_mobile_top_10_2024.md - Generate remediation plan with code examples and timeline
OWASP Mobile Top 10 (2024) — Quick Reference
| Risk | Issue | Automated? | Key Check |
|---|---|---|---|
| M1 | Hardcoded credentials | ✅ scanner | API keys, tokens in source/config |
| M2 | Vulnerable dependencies | ✅ scanner | Outdated or unconstrained packages |
| M3 | Weak authentication | Manual | Token storage, MFA, session expiry |
| M4 | Input validation | Manual | SQL injection, XSS in WebViews, IDOR |
| M5 | Insecure communication | ✅ scanner | HTTP usage, missing cert pinning |
| M6 | Privacy violations | Manual | PII in logs/analytics, excess permissions |
| M7 | No binary protections | Manual | Missing --obfuscate, no root detection |
| M8 | Misconfiguration | Manual | Debug flags in production, verbose logging |
| M9 | Insecure storage | ✅ scanner | Sensitive data in SharedPreferences |
| M10 | Weak cryptography | Manual | MD5/SHA1/ECB usage, hardcoded keys |
Understanding Scan Results
| Severity | Meaning | Action |
|---|---|---|
| CRITICAL | Exploitable immediately | Fix now — do not release |
| HIGH | Significant vulnerability | Fix before release |
| MEDIUM | Should be addressed | Plan for next sprint |
| LOW | Best practice improvement | Address as time permits |
Common False Positives
- M1: Test/example keys, placeholders like
YOUR_API_KEY - M2: Dev-only dependencies (linters, test tools)
- M5: HTTP for
localhost/127.0.0.1in development - M9: Non-sensitive data in SharedPreferences (theme preference, language)
Always verify findings in context before flagging as vulnerabilities.
When NOT to Use
- Web application security audits — this skill is mobile/Flutter-specific
- Backend API or server security reviews
- As a substitute for professional penetration testing or a formal security audit
- Projects that do not use Flutter/Dart or
pubspec.yaml
Reference Documentation
references/owasp_mobile_top_10_2024.md provides per-risk detail:
- Real-world attack scenarios and examples
- Flutter-specific vulnerability patterns (Dart code)
- Insecure vs secure code examples
- Platform-specific guidance (Android Keystore/NSC, iOS Keychain/ATS)
- Full mitigation strategies
Integration Points
| Stage | Action |
|---|---|
| Pre-commit | Run scan_hardcoded_secrets.py as a lightweight secrets gate |
| Pull requests | Run all 4 scanners, post findings as PR comment |
| Release builds | Full audit including manual analysis for all 10 categories |
| Incident response | Run targeted scanner for the reported vulnerability category |
Featured
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →
