playbooks

home / skills / hoangnguyen0403 / agent-skills-standard / security

security skill

/skills/ios/security

This skill helps you implement iOS security best practices for Keychain, biometrics, data protection, and network security across apps.

npx playbooks add skill hoangnguyen0403/agent-skills-standard --skill security

Review the files below or copy the command above to add this skill to your agents.

Files (2)
SKILL.md
1.6 KB
---
name: iOS Security
description: Standards for Keychain, Biometrics, and Data Protection.
metadata:
  labels: [ios, security, keychain, encryption]
  triggers:
    files: ['**/*.swift']
    keywords:
      [SecItemAdd, kSecClassGenericPassword, LAContext, LocalAuthentication]
---

# iOS Security Standards

## **Priority: P0 (CRITICAL)**

## Implementation Guidelines

### Key Storage

- **Keychain**: Use for sensitive tokens, passwords, and identifiers (UUIDs). Never store in `UserDefaults`.
- **Valet**: Use high-level wrappers like SwiftKeychainWrapper or Valet to avoid raw Security.framework C-APIs.
- **Biometrics**: Use `LocalAuthentication` for FaceID/TouchID. Verify availability with `canEvaluatePolicy(_:error:)` before evaluation.

### Data Protection

- **File Encryption**: Use `Data.WritingOptions.completeFileProtection` when saving files to disk.
- **App Sandboxing**: Respect the sandbox; do not attempt to access files outside of your container.

### Network Security

- **ATS**: Don't disable App Transport Security (ATS) globally in `Info.plist`. Use exceptions only if strictly necessary.
- **SSL Pinning**: Use TrustKit or Alamofire pinning for backend-critical applications.

## Anti-Patterns

- **UserDefaults for Secrets**: `**No Secrets in UserDefaults**: Use Keychain.`
- **Ignoring LA Error Handles**: `**Handle LAError**: Check for userCancel, authenticationFailed, etc.`
- **Print Tokens**: `**No logging of PII/Tokens**: Ensure logs are stripped in Release builds.`

## References

- [Keychain & Biometrics Implementation](references/implementation.md)

## Related Topics

common/security-standards | architecture

Overview

This skill codifies iOS security standards for Keychain, Biometrics, Data Protection, and network practices. It highlights what to store where, safe APIs to use, and critical anti-patterns to avoid in production apps. The guidance is practical and focused on reducing risk in mobile apps.

How this skill works

The skill inspects common storage and authentication patterns and prescribes concrete alternatives (Keychain, Valet wrappers, LocalAuthentication). It enforces file protection and sandbox boundaries when writing data to disk. It also covers network hardening like ATS adherence and SSL pinning for critical backends.

When to use it

  • When storing tokens, passwords, or persistent identifiers (never UserDefaults).
  • When adding biometric authentication (Face ID / Touch ID) to flows requiring strong authentication.
  • When persisting files that contain sensitive data to disk.
  • When configuring App Transport Security or implementing SSL pinning for backend calls.
  • During code reviews to catch logging of PII or insecure storage calls.

Best practices

  • Store secrets in Keychain and prefer high-level wrappers (Valet or SwiftKeychainWrapper) over raw Security.framework C-APIs.
  • Check biometric availability with LocalAuthentication.canEvaluatePolicy(_:error:) and handle LAError cases (userCancel, authenticationFailed, etc.).
  • Write sensitive files with Data.WritingOptions.completeFileProtection and honor app sandbox restrictions.
  • Do not disable ATS globally in Info.plist; apply least-privilege exceptions only when necessary.
  • Avoid logging tokens or PII; strip sensitive logs in Release builds and use secure analytics/configuration pipelines.

Example use cases

  • Save OAuth refresh tokens and device identifiers securely using Keychain via Valet.
  • Protect a locally cached PDF containing user data using completeFileProtection before disk write.
  • Add Touch ID/Face ID to a fast-reauth flow, verifying canEvaluatePolicy and handling user cancellation paths.
  • Enable SSL pinning for a payment or health backend using TrustKit or Alamofire pinning.
  • Audit an app to replace UserDefaults leaks and remove any println/NSLog of secrets.

FAQ

Can I store an API key in UserDefaults if obfuscated?

No. Obfuscation is not a substitute for secure storage—use the Keychain and appropriate access controls.

When is it acceptable to relax ATS?

Only when a backend cannot meet ATS requirements and you have documented, time-limited exceptions; prefer updating the server to support TLS 1.2+ and strong ciphers.