Skill

role-mobile:mobile-security

Expert guidance on mobile application security — certificate pinning, secure storage (Keychain on iOS, KeyStore on Android), code obfuscation (ProGuard, R8), root/jailbreak detection, biometric authentication, secure inter-process communication, and App Transport Security. Use when hardening mobile apps or implementing security features.

Install

npx claudepluginhub rnavarych/alpha-engineer --plugin role-mobile

Tool Access

This skill is limited to using the following tools:

ReadGrepGlobBash

Preview

- Implementing certificate pinning to prevent MITM attacks

Supporting Assets

references/network-storage-security.mdreferences/obfuscation-runtime-auth.md

SKILL.md

Similar Skills

skill-lookup

Searches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.

prompts.chat

157.6k

prompt-lookup

Searches prompts.chat for AI prompt templates by keyword or category, retrieves by ID with variable handling, and improves prompts via AI. Use for discovering or enhancing prompts.

prompts.chat

157.6k

accessibility

Designs, implements, and audits WCAG 2.2 AA accessible UIs for Web (ARIA/HTML5), iOS (SwiftUI traits), and Android (Compose semantics). Audits code for compliance gaps.

everything-claude-code

156.2k

Stats

Parent Repo Stars9

Parent Repo Forks0

Last CommitMar 3, 2026

Actions

View Source View Plugin View on GitHub View README

role-mobile:mobile-security

When to use

Implementing certificate pinning to prevent MITM attacks

Storing tokens, keys, or credentials securely on-device

Enabling R8/ProGuard obfuscation and verifying the mapping file

Adding root/jailbreak detection with layered strategies

Integrating biometric authentication (Face ID, Touch ID, BiometricPrompt)

Hardening IPC: intent validation, Universal Links, ContentProvider permissions

Auditing App Transport Security exceptions before App Store submission

Core principles

Device is hostile by default — assume the attacker has physical access and a debugger

Two pins, always — a single certificate pin that expires locks out every user in production

Keychain/KeyStore, not files — hardware-backed key storage exists; use it

Multi-layer detection — one jailbreak check is bypassable in 30 seconds; five is a weekend project

Never trust client-side alone — client detection is delay, not prevention; validate on the server too

Reference Files

references/network-storage-security.md — certificate pinning rationale, iOS URLSession/NSPinnedDomains/TrustKit implementation, Android network_security_config.xml and OkHttp CertificatePinner, cross-platform pinning libraries, iOS Keychain Services access controls, Android KeyStore hardware-backed keys and EncryptedSharedPreferences, cross-platform secure storage libraries, App Transport Security configuration

references/obfuscation-runtime-auth.md — Android R8/ProGuard configuration and resource shrinking, iOS symbol stripping, React Native/Flutter obfuscation caveats, root/jailbreak detection strategies and evasion limits, iOS LAContext biometrics, Android BiometricPrompt with CryptoObject, secure IPC patterns (explicit intents, Universal Links, ContentProvider permissions)

Mobile Security

When to use

Implementing certificate pinning to prevent MITM attacks
Storing tokens, keys, or credentials securely on-device
Enabling R8/ProGuard obfuscation and verifying the mapping file
Adding root/jailbreak detection with layered strategies
Integrating biometric authentication (Face ID, Touch ID, BiometricPrompt)
Hardening IPC: intent validation, Universal Links, ContentProvider permissions
Auditing App Transport Security exceptions before App Store submission

Core principles

Device is hostile by default — assume the attacker has physical access and a debugger
Two pins, always — a single certificate pin that expires locks out every user in production
Keychain/KeyStore, not files — hardware-backed key storage exists; use it
Multi-layer detection — one jailbreak check is bypassable in 30 seconds; five is a weekend project
Never trust client-side alone — client detection is delay, not prevention; validate on the server too

Reference Files

references/network-storage-security.md — certificate pinning rationale, iOS URLSession/NSPinnedDomains/TrustKit implementation, Android network_security_config.xml and OkHttp CertificatePinner, cross-platform pinning libraries, iOS Keychain Services access controls, Android KeyStore hardware-backed keys and EncryptedSharedPreferences, cross-platform secure storage libraries, App Transport Security configuration
references/obfuscation-runtime-auth.md — Android R8/ProGuard configuration and resource shrinking, iOS symbol stripping, React Native/Flutter obfuscation caveats, root/jailbreak detection strategies and evasion limits, iOS LAContext biometrics, Android BiometricPrompt with CryptoObject, secure IPC patterns (explicit intents, Universal Links, ContentProvider permissions)