Agent skill for Apple platform security work in Swift. It covers Keychain Services, biometric access control, CryptoKit, Secure Enclave, certificate trust, and secure credential storage on iOS and macOS.
The point is simple: AI tools are often shaky on security code, especially around Keychain, biometrics, and cryptography. This repo gives them better defaults, sharper review guidance, and Apple-specific implementation patterns.
The guidance is based on Apple documentation, DTS engineer guidance, WWDC sessions, and OWASP MASTG.
- Reviewing Swift security code for storage, auth, and crypto mistakes
- Implementing Keychain, biometrics, Secure Enclave, and CryptoKit correctly
- Moving secrets out of
UserDefaults, plists, or legacy storage - Mapping Apple-platform code to OWASP Mobile Top 10 / MASVS checks
AI coding assistants routinely generate dangerous Apple security code. This skill exists to catch those patterns and replace them with safer ones.
npx skills add https://github.com/ivan-magda/swift-security-skill --skill swift-security-expertFor more information, visit the skills.sh platform page.
Then use it in your AI agent:
Use the swift security expert skill and review the current security code for authentication bypasses, credential storage issues, and cryptographic correctness.
/plugin marketplace add ivan-magda/swift-security-skill
/plugin install swift-security-expert@swift-security-skillTo automatically provide this skill to everyone working in a repository, configure .claude/settings.json:
{
"enabledPlugins": {
"swift-security-expert@swift-security-skill": true
},
"extraKnownMarketplaces": {
"swift-security-skill": {
"source": {
"source": "github",
"repo": "ivan-magda/swift-security-skill"
}
}
}
}Upload the swift-security-expert/ folder contents to a Claude Project's knowledge base. Include SKILL.md and all files from references/.
- Clone this repository
- Install or symlink the
swift-security-expert/folder following your tool's skill installation docs - Ask your AI tool to use the "swift security expert" skill for security tasks
- Codex: Where to save skills
- Claude: Using Skills
- Cursor: Enabling Skills
How to verify: Your agent should use SKILL.md as the router and load the relevant reference files for the task.
- Catch
LAContext.evaluatePolicy()used as a standalone auth gate - Flag secrets stored in
UserDefaults, property lists, or source - Catch ignored
OSStatusfailures and weakkSecAttrAccessiblechoices
- Implement keychain-backed biometrics with
SecAccessControl - Use correct
SecItemAdd/SecItemCopyMatchingadd-or-update flows - Generate and use Secure Enclave keys without simulator mistakes
- Store and rotate OAuth tokens safely
- Choose between
.biometryCurrentSet,.biometryAny, and.userPresence - Pick the right accessibility class for foreground vs background access
- Choose between AES-GCM and ChaChaPoly, P256 and Curve25519, and newer post-quantum options on iOS 26+
- Decide between Keychain Sharing and App Groups for shared credentials
- Map findings to OWASP Mobile Top 10 (2024)
- Check MASVS / MASTG alignment
- Produce audit-ready notes for reviews
| # | Domain | Risk | Key APIs |
|---|---|---|---|
| 1 | Keychain Fundamentals | CRITICAL | SecItemAdd, SecItemCopyMatching, SecItemUpdate, SecItemDelete, OSStatus |
| 2 | Keychain Item Classes | HIGH | kSecClassGenericPassword, kSecClassInternetPassword, kSecClassKey, kSecClassCertificate, kSecClassIdentity |
| 3 | Keychain Access Control | CRITICAL | kSecAttrAccessible* (7 levels), SecAccessControlCreateWithFlags, NSFileProtection |
| 4 | Biometric Authentication | CRITICAL | LAContext, evaluatePolicy, SecAccessControlCreateWithFlags, .biometryCurrentSet, .biometryAny |
| 5 | Secure Enclave | HIGH | SecureEnclave.P256.Signing.PrivateKey, SecureEnclave.isAvailable, kSecAttrTokenIDSecureEnclave |
| 6 | CryptoKit — Symmetric | HIGH | SHA256–SHA3_256, HMAC, AES.GCM, ChaChaPoly, SymmetricKey |
| 7 | CryptoKit — Public Key | HIGH | P256, P384, Curve25519, HKDF, HPKE (iOS 17+), MLKEM768, MLDSA65 (iOS 26+) |
| 8 | Credential Storage Patterns | CRITICAL | ASWebAuthenticationSession, keychain token patterns, kSecAttrSynchronizable |
| 9 | Keychain Sharing | MEDIUM | kSecAttrAccessGroup, keychain-access-groups, App Groups entitlement |
| 10 | Certificate Trust | HIGH | SecCertificate, SecTrust, SecTrustEvaluateAsyncWithError, SecIdentity |
| 11 | Migration — Legacy Stores | MEDIUM | UserDefaults.removeObject, FileManager.removeItem, first-launch flag pattern |
| 12 | Common Anti-Patterns | CRITICAL | All anti-pattern APIs with correct/incorrect corrections |
| 13 | Testing Security Code | MEDIUM | XCTest, protocol-based keychain mocks, Swift Testing, CI/CD strategies |
| 14 | Compliance & OWASP Mapping | MEDIUM | OWASP M1, M3, M9, M10; MASVS controls; MASTG test cases |
- CRITICAL — mistakes that can lead to data exposure or auth bypass
- HIGH — mistakes that weaken security or break cryptographic correctness
- MEDIUM — mistakes that hurt reliability, testing, or auditability
- Correctness over coverage. Reference files include correct and incorrect examples, plus why the wrong pattern fails.
- Apple-specific. Focuses on Apple APIs and Apple-platform failure modes, not generic security advice.
- Non-opinionated. Stays close to documented Apple behavior and verified patterns rather than pushing one architecture.
- Practical. Built for review, fixes, and implementation work — not just reference reading.
SKILL.md is a router. It looks at the task — review, improve, or implement — then pulls in the right reference files.
Use it to audit existing code. The skill runs the review checklist, flags findings as pass/fail/warning, and points to the exact reference file and section behind each call.
Use it to fix or modernize existing code. The skill identifies the gap, loads the relevant migration and domain references, then applies the safer pattern.
Use it to build a security feature from scratch. The skill selects the relevant domains and follows the correct patterns from the start.
Contributions are welcome. When adding or editing reference files:
- Every reference file must have an H1 title, a scope blockquote, and a
## Summary Checklistat the bottom - Code examples use ✅ (correct) and ❌ (incorrect) markers — always provide both for security patterns
- Cite iOS version requirements for every API (
iOS 13+,iOS 17+,iOS 26+) - Cross-references use backtick-quoted filenames:
keychain-fundamentals.md - One canonical source per pattern — other files get a one-sentence summary + cross-reference link
- Cite Apple documentation URLs, WWDC session numbers, or Quinn "The Eskimo!" DTS posts for every non-obvious claim
See AGENTS.md for full contribution format, testing constraints, and scope boundaries.
- Apple Keychain Services Documentation
- Apple CryptoKit Documentation
- WWDC 2019-709 — "Cryptography and Your Apps"
- WWDC 2020 — "Secure your app: threat modeling and anti-patterns"
- WWDC 2025 — "Get ahead with quantum-secure cryptography"
- TN3137 — On Mac keychain APIs and implementations
- OWASP Mobile Top 10 (2024)
- OWASP MASVS
- OWASP MASTG
MIT