How to install swift-security
npx skills add https://github.com/dpearson2699/swift-ios-skills --skill swift-securityFull instructions (SKILL.md)
Source of truth, from dpearson2699/swift-ios-skills.
name: swift-security description: Use when working with iOS/macOS Keychain Services (SecItem queries, kSecClass, OSStatus errors), biometric authentication (LAContext, Face ID, Touch ID), CryptoKit (AES-GCM, ChaChaPoly, ECDSA, ECDH, HPKE, ML-KEM), Secure Enclave, secure credential storage (OAuth tokens, API keys), certificate pinning (SecTrust, SPKI), keychain sharing across apps/extensions, migrating secrets from UserDefaults or plists, or OWASP MASVS/MASTG mobile compliance on Apple platforms. license: MIT
Swift Security
Use this skill for client-side Apple platform security work: Keychain Services, access control, biometric-gated secrets, CryptoKit, Secure Enclave keys, credential storage, certificate trust, keychain sharing, legacy secret migration, security testing, and OWASP mobile compliance mapping.
Default to iOS 17+ and Swift concurrency examples when the deployment target is unknown. Keep iOS 13+ compatibility notes when the user asks for older targets. Treat iOS 26 CryptoKit post-quantum APIs as availability-gated.
Contents
- Workflow
- Reference Loading
- Security Invariants
- Sibling Boundaries
- Review Checklist
- Common Mistakes
- Output Rules
- References
Workflow
Classify the request before loading references.
- Review existing code: run the Review Checklist, then load common-anti-patterns.md plus the domain reference for each failing area. Report severity, evidence, and the corrected pattern.
- Improve or migrate code: identify the migration type, load the migration and target-domain references, preserve existing data, verify the new item, then remove legacy storage only after success.
- Implement new security code: load the minimum domain references, use the provided correct patterns, include OSStatus handling and tests, then run the relevant checklist.
Do not load every reference file by default. This skill is intentionally split for progressive disclosure; load only the files needed by the user's task.
Reference Loading
| If the task involves | Load |
|---|---|
| General keychain CRUD or OSStatus handling | keychain-fundamentals.md |
Choosing kSecClass or item identity | keychain-item-classes.md |
Accessibility classes or SecAccessControl | keychain-access-control.md |
| Face ID, Touch ID, or biometric-gated secrets | biometric-authentication.md |
| Secure Enclave keys | secure-enclave.md |
| Hashing, HMAC, AES-GCM, ChaChaPoly, HKDF, PBKDF2 | cryptokit-symmetric.md |
| Signing, ECDH, HPKE, ML-KEM, ML-DSA | cryptokit-public-key.md |
| OAuth tokens, API keys, logout, refresh rotation | credential-storage-patterns.md |
| App/extension keychain sharing | keychain-sharing.md |
| Certificate trust, SPKI pinning, mTLS | certificate-trust.md |
| UserDefaults/plist/NSCoding migration | migration-legacy-stores.md |
| Unit, integration, simulator, device, or CI tests | testing-security-code.md |
| OWASP MASVS/MASTG or enterprise audit mapping | compliance-owasp-mapping.md |
| Full security review | common-anti-patterns.md, then each touched domain reference |
Security Invariants
Use directive language only for these security invariants and the matching anti-patterns in common-anti-patterns.md. For architecture choices outside this list, use advisory language.
- Never store tokens, passwords, API keys, signing keys, or refresh tokens in
UserDefaults,Info.plist,.xcconfig, source code, logs, files, orNSCodingarchives. Use Keychain or fetch secrets at runtime. - Never ignore
OSStatus. EverySecItemAdd,SecItemCopyMatching,SecItemUpdate, andSecItemDeletepath must handle success and expected failures such aserrSecDuplicateItem,errSecItemNotFound, anderrSecInteractionNotAllowed. - Never use
LAContext.evaluatePolicy()as the only gate for a secret. Bind protected secrets to keychain items withSecAccessControl, then let keychain access trigger LocalAuthentication. - Always set
kSecAttrAccessibleorkSecAttrAccessControlexplicitly when adding keychain items. - Always use add-or-update for persistent keychain writes. Do not delete-then-add as a normal update path.
- Keep
SecItem*work off the main actor. Use an actor or serial queue for keychain access. - On macOS AppKit targets, target the data protection keychain with
kSecUseDataProtectionKeychain: trueunless deliberately working with legacy file-based keychain items. - Never reuse an AES-GCM nonce with the same key.
- Never use raw ECDH
SharedSecretbytes as a symmetric key. Derive with HKDF or X9.63 derivation. - Never use
Insecure.MD5orInsecure.SHA1for security purposes.
Sibling Boundaries
This skill owns client-side storage, cryptographic primitives, hardware-backed keys, and trust evaluation. Route adjacent work deliberately:
- Use
authenticationfor Sign in with Apple, passkeys, OAuth UI flows,ASAuthorizationController, credential state, and account sign-in UX. - Use
cryptokitfor primitive CryptoKit API syntax and examples when storage, key lifecycle, protocol/trust design, Secure Enclave policy, certificate trust, misuse review, or compliance is not part of the task. - Keep application-level E2E encryption security reviews here when the work involves key ownership, derivation, storage, rotation/recovery, Secure Enclave, HPKE/PQC migration, protocol trust boundaries, or misuse analysis.
- Use
device-integrityfor DeviceCheck and App Attest attestation/assertion flows. - Use
ios-networkingfor URLSession, request pipelines, ATS configuration, retries, caching, reachability, and transport architecture. - Use
app-store-reviewfor privacy manifests, ATT, App Review guideline compliance, and submission readiness.
This skill may mention those areas only to identify a security handoff.
Review Checklist
Use this checklist for code reviews and migration plans. Mark each item pass, fail, or not applicable; for each failure, cite the reference file and severity.
- Secrets are not stored in
UserDefaults, plists, source, logs, files, or archives. - Every
SecItem*call checksOSStatusand handles common recoverable errors. - Biometric access to secrets is keychain-bound with
SecAccessControl, not a standaloneBoolfromLAContext.evaluatePolicy(). - Keychain add dictionaries set an explicit accessibility policy.
- Keychain writes use add-or-update rather than delete-then-add.
- Keychain work is isolated from UI/main-actor code.
- The selected
kSecClassmatches the item type and primary-key attributes. - CryptoKit code avoids nonce reuse, raw shared-secret use, weak hashes, and hardcoded keys.
- Custom encryption designs identify key ownership, derivation, storage, rotation/recovery, availability gates, and protocol/trust boundaries.
- Secure Enclave code checks availability, handles simulator/device differences,
persists only
dataRepresentation, and designs for device-bound keys. - App/extension sharing uses full Team ID access groups and matching entitlements on every target.
- Certificate trust uses current
SecTrustAPIs, validates hostname/policy, and uses SPKI or CA pinning when pinning is required. - macOS keychain code intentionally chooses data protection or file-based keychain behavior.
- Tests cover success, duplicate, missing item, locked-device, simulator/device, and migration paths where applicable.
- OWASP MASVS/MASTG mappings are included when compliance is requested.
Common Mistakes
- Generating partial keychain examples without duplicate handling or
errSecItemNotFoundhandling. - Adding biometric UI but leaving the secret readable without keychain access control.
- Choosing
kSecAttrAccessibleWhenUnlockedimplicitly by omitting the attribute. - Using
kSecAttrAccessibleAlwaysorkSecAttrAccessibleAlwaysThisDeviceOnly, both deprecated. - Mixing
kSecAttrAccessibleandkSecAttrAccessControlon the same add query. - Treating Secure Enclave keys as importable, exportable, syncable, or suitable for symmetric encryption.
- Claiming SHA-3, ML-KEM, ML-DSA, or X-Wing CryptoKit APIs are available before iOS 26.
- Treating HPKE as available before iOS 17.
- Implementing certificate pinning by hashing only raw key bytes instead of the correct SPKI representation.
- Expanding this skill into account-login, networking, App Attest, or App Store review guidance instead of handing off to sibling skills.
Output Rules
- For security findings, state severity: CRITICAL for exploitable secret or cryptography failures, HIGH for silent security boundary/data-loss issues, and MEDIUM for brittle or incomplete hardening.
- Include wrong and corrected code examples for implementation reviews when a concrete anti-pattern is present.
- Include minimum iOS/macOS availability when recommending versioned APIs.
- Cite the reference file that supports each substantive security pattern.
- For keychain code, include
OSStatushandling and explicit accessibility in examples. - For implementation or migration answers, end with
## Reference Filesand list the loaded references with a one-line purpose. - Do not invent WWDC session numbers or source citations. If a claim is not present in the loaded references or official Apple documentation, say it needs verification.
References
- keychain-fundamentals.md - SecItem CRUD, OSStatus handling, add-or-update, macOS data protection keychain.
- keychain-item-classes.md -
kSecClassselection, primary keys, certificates, identities. - keychain-access-control.md - Accessibility constants,
SecAccessControl, background access, data protection. - biometric-authentication.md - Keychain-bound biometrics,
LAContext, enrollment-change handling. - secure-enclave.md - Secure Enclave constraints, persistence, biometric keys, iOS 26 PQ APIs.
- cryptokit-symmetric.md - SHA, HMAC, AES-GCM, ChaChaPoly, HKDF, PBKDF2.
- cryptokit-public-key.md - Signing, key agreement, HPKE, ML-KEM, ML-DSA, key formats.
- credential-storage-patterns.md - OAuth tokens, API keys, rotation, logout cleanup.
- keychain-sharing.md - Access groups, extensions, iCloud sync, macOS access groups.
- certificate-trust.md - SecTrust, SPKI/CA pinning,
NSPinnedDomains, client certificates. - migration-legacy-stores.md - UserDefaults/plist/NSCoding migration and cleanup.
- common-anti-patterns.md - Review backbone for insecure generated code.
- testing-security-code.md - Protocol mocks, real keychain tests, CI/device split.
- compliance-owasp-mapping.md - OWASP Mobile Top 10, MASVS, MASTG evidence mapping.
Related skills
More from dpearson2699/swift-ios-skills and the wider catalog.
swiftui-animation
Implement, review, or improve SwiftUI animations and transitions. Use when adding explicit animations with withAnimation, configuring implicit animations with .animation(_:body:) or .animation(_:value:), configuring spring animations (.smooth, .snappy, .bouncy), building phase or keyframe animations with PhaseAnimator/KeyframeAnimator, creating hero transitions with matchedGeometryEffect or matchedTransitionSource, adding SF Symbol effects (iOS 17 bounce, pulse, variableColor, scale, appear, disappear, replace; iOS 18 breathe, rotate, wiggle), implementing custom Transition or CustomAnimation types, or ensuring animations respect accessibilityReduceMotion.
ios-accessibility
Implements, reviews, or improves accessibility in iOS/macOS apps with SwiftUI, UIKit, and AppKit. Use when adding VoiceOver, Voice Control, Switch Control, or Full Keyboard Access support; when working with accessibility labels, hints, values, traits, accessibilityInputLabels, NSAccessibility, grouping, reading order, accessibility focus restoration with @AccessibilityFocusState, Dynamic Type, @ScaledMetric, custom rotors, accessibility actions, XCTest accessibility checks, App Store Accessibility Nutrition Labels, App Store Connect accessibility answers, a11y compliance audits, or system accessibility preferences.
swiftui-patterns
Builds and reviews SwiftUI views with modern MV architecture, state management, view composition, and migration/availability guidance. Covers @Observable ownership rules, @State/@Bindable/@Environment wiring, view decomposition, custom ViewModifiers, environment values, async data loading with .task, iOS 26+ handoff reminders, Writing Tools, clipboard availability caveats, and performance guidelines. Use when structuring SwiftUI app state, managing @Observable, composing view hierarchies, or correcting SwiftUI pattern guidance.
swiftui-performance
Audit and improve SwiftUI runtime performance. Use when diagnosing slow rendering, janky scrolling, high CPU, memory usage, excessive view updates, layout thrash, body evaluation cost, identity churn, view lifetime issues, lazy loading, Instruments profiling guidance, and performance audit requests.
app-store-review
Prepare for App Store review and prevent rejections. Covers App Store review guidelines, app rejection reasons, PrivacyInfo.xcprivacy privacy manifest requirements, required API reason codes, in-app purchase IAP and StoreKit rules, App Store Guidelines compliance, ATT App Tracking Transparency, EU DMA Digital Markets Act, HIG compliance checklist, app submission preparation, review preparation, metadata requirements, entitlements, widgets, and Live Activities review rules. Use when preparing for App Store submission, fixing rejection reasons, auditing privacy manifests, implementing ATT consent flow, configuring StoreKit IAP, or checking HIG compliance.
ios-networking
Build, review, or improve networking code in iOS/macOS apps using URLSession with async/await, structured concurrency, and modern Swift patterns. Use when working with REST APIs, downloading files, uploading data, WebSocket connections, pagination, retry logic, request middleware, caching, background transfers, or network reachability monitoring. Also use when handling HTTP requests, API clients, network error handling, or data fetching in Swift apps.