A shareable collection of Claude Code Agent Skills for mobile application security testing, built on:
- OWASP MASVS v2 — Mobile Application Security Verification Standard
- OWASP MASTG — Mobile Application Security Testing Guide
- NowSecure — Secure Mobile Development best practices
| Skill | MASVS Category | Description |
|---|---|---|
| secure-storage-audit | MASVS-STORAGE | Audit data-at-rest: local storage, logs, backups, clipboard, keyboard cache |
| crypto-review | MASVS-CRYPTO | Review encryption algorithms, key management, RNG, hardcoded secrets |
| auth-assessment | MASVS-AUTH | Assess login flows, biometric auth, session management, step-up auth |
| network-security-check | MASVS-NETWORK | Check TLS config, certificate pinning, cleartext traffic, cert validation |
| platform-interaction-review | MASVS-PLATFORM | Review IPC, WebViews, deep links, content providers, UI security |
| code-quality-scan | MASVS-CODE | Scan dependencies, input validation, injection flaws, platform versions |
| resilience-assessment | MASVS-RESILIENCE | Assess anti-tampering, root/jailbreak detection, obfuscation, anti-debug |
| privacy-audit | MASVS-PRIVACY | Audit permissions, tracking, consent, data minimization, user controls |
| Skill | Description |
|---|---|
| mobile-threat-model | Generate STRIDE threat models mapped to MASVS controls with NowSecure risk tiering |
| masvs-checklist | Generate tailored MASVS v2 compliance checklists with MASTG test mappings |
| secure-mobile-dev-guide | Interactive secure development guidance with code examples for Android and iOS |
| mobile-pentest-plan | Generate comprehensive penetration testing plans based on MASTG methodology |
Add to your project's .claude/settings.json:
{
"plugins": [
"/path/to/mastg-skills"
]
}Copy the skills/ directory into your project's .claude/skills/ directory:
cp -r skills/* /path/to/your-project/.claude/skills/Copy into your personal Claude Code skills directory:
cp -r skills/* ~/.claude/skills/Skills are invoked automatically by Claude Code when relevant, or manually:
# Run a specific audit against your codebase
/secure-storage-audit ./path/to/mobile/app
/crypto-review ./path/to/mobile/app
/network-security-check ./path/to/mobile/app
# Generate compliance artifacts
/masvs-checklist ./path/to/mobile/app
/mobile-threat-model ./path/to/mobile/app
/mobile-pentest-plan ./path/to/mobile/app
# Get secure development guidance
/secure-mobile-dev-guide how to store tokens securely
/secure-mobile-dev-guide certificate pinning implementation
All 8 MASVS control groups are covered with 24 individual controls:
| Category | Controls | Skills |
|---|---|---|
| MASVS-STORAGE | 2 controls | secure-storage-audit |
| MASVS-CRYPTO | 2 controls | crypto-review |
| MASVS-AUTH | 3 controls | auth-assessment |
| MASVS-NETWORK | 2 controls | network-security-check |
| MASVS-PLATFORM | 3 controls | platform-interaction-review |
| MASVS-CODE | 4 controls | code-quality-scan |
| MASVS-RESILIENCE | 4 controls | resilience-assessment |
| MASVS-PRIVACY | 4 controls | privacy-audit |
Skills apply NowSecure's tiered security policy model:
- Tier 1 — No Sensitive Data: Basic network and code quality controls
- Tier 2 — Handles PII: Full storage, crypto, auth, platform, and privacy controls
- Tier 3 — Flagship / High-Value: All controls including resilience, pinning, and advanced privacy