swift-security
The swift-security skill provides guidance and patterns for implementing client-side cryptography and credential management on Apple platforms, covering Keychain Services, biometric authentication, CryptoKit algorithms, Secure Enclave integration, certificate pinning, and OWASP mobile security compliance. Use it when securing OAuth tokens, API keys, implementing Face ID or Touch ID workflows, migrating legacy secrets, or validating iOS/macOS security implementations against industry standards.
git clone --depth 1 https://github.com/dpearson2699/swift-ios-skills /tmp/swift-security && cp -r /tmp/swift-security/skills/swift-security ~/.claude/skills/swift-securitySKILL.md
# Swift Security Use this skill for client-side Apple platform security work: Keychain Services, access control, biometric-gated secrets, CryptoKit, Secure Enclave keys, credential storage, certificate trust, keychain sharing, legacy secret migration, security testing, and OWASP mobile compliance mapping. Default to iOS 17+ and Swift concurrency examples when the deployment target is unknown. Keep iOS 13+ compatibility notes when the user asks for older targets. Treat iOS 26 CryptoKit post-quantum APIs as availability-gated. ## Contents - [Workflow](#workflow) - [Reference Loading](#reference-loading) - [Security Invariants](#security-invariants) - [Sibling Boundaries](#sibling-boundaries) - [Review Checklist](#review-checklist) - [Common Mistakes](#common-mistakes) - [Output Rules](#output-rules) - [References](#references) ## Workflow Classify the request before loading references. 1. Review existing code: run the [Review Checklist](#review-checklist), then load [common-anti-patterns.md](references/common-anti-patterns.md) plus the domain reference for each failing area. Report severity, evidence, and the corrected pattern. 2. Improve or migrate code: identify the migration type, load the migration and target-domain references, preserve existing data, verify the new item, then remove legacy storage only after success. 3. Implement new security code: load the minimum domain references, use the provided correct patterns, include OSStatus handling and tests, then run the relevant checklist. Do not load every reference file by default. This skill is intentionally split for progressive disclosure; load only the files needed by the user's task. ## Reference Loading | If the task involves | Load | | --- | --- | | General keychain CRUD or OSStatus handling | [keychain-fundamentals.md](references/keychain-fundamentals.md) | | Choosing `kSecClass` or item identity | [keychain-item-classes.md](references/keychain-item-classes.md) | | Accessibility classes or `SecAccessControl` | [keychain-access-control.md](references/keychain-access-control.md) | | Face ID, Touch ID, or biometric-gated secrets | [biometric-authentication.md](references/biometric-authentication.md) | | Secure Enclave keys | [secure-enclave.md](references/secure-enclave.md) | | Hashing, HMAC, AES-GCM, ChaChaPoly, HKDF, PBKDF2 | [cryptokit-symmetric.md](references/cryptokit-symmetric.md) | | Signing, ECDH, HPKE, ML-KEM, ML-DSA | [cryptokit-public-key.md](references/cryptokit-public-key.md) | | OAuth tokens, API keys, logout, refresh rotation | [credential-storage-patterns.md](references/credential-storage-patterns.md) | | App/extension keychain sharing | [keychain-sharing.md](references/keychain-sharing.md) | | Certificate trust, SPKI pinning, mTLS | [certificate-trust.md](references/certificate-trust.md) | | UserDefaults/plist/NSCoding migration | [migration-legacy-stores.md](references/migration-legacy-stores.md) | | Unit, integration, simulator, device, or CI tests | [testing-security-code.md](references/testing-security-code.md) | | OWASP MASVS/MASTG or enterprise audit mapping | [compliance-owasp-mapping.md](references/compliance-owasp-mapping.md) | | Full security review | [common-anti-patterns.md](references/common-anti-patterns.md), then each touched domain reference | ## Security Invariants Use directive language only for these security invariants and the matching anti-patterns in [common-anti-patterns.md](references/common-anti-patterns.md). For architecture choices outside this list, use advisory language. - Never store tokens, passwords, API keys, signing keys, or refresh tokens in `UserDefaults`, `Info.plist`, `.xcconfig`, source code, logs, files, or `NSCoding` archives. Use Keychain or fetch secrets at runtime. - Never ignore `OSStatus`. Every `SecItemAdd`, `SecItemCopyMatching`, `SecItemUpdate`, and `SecItemDelete` path must handle success and expected failures such as `errSecDuplicateItem`, `errSecItemNotFound`, and `errSecInteractionNotAllowed`. - Never use `LAContext.evaluatePolicy()` as the only gate for a secret. Bind protected secrets to keychain items with `SecAccessControl`, then let keychain access trigger LocalAuthentication. - Always set `kSecAttrAccessible` or `kSecAttrAccessControl` explicitly when adding keychain items. - Always use add-or-update for persistent keychain writes. Do not delete-then-add as a normal update path. - Keep `SecItem*` work off the main actor. Use an actor or serial queue for keychain access. - On macOS AppKit targets, target the data protection keychain with `kSecUseDataProtectionKeychain: true` unless deliberately working with legacy file-based keychain items. - Never reuse an AES-GCM nonce with the same key. - Never use raw ECDH `SharedSecret` bytes as a symmetric key. Derive with HKDF or X9.63 derivation. - Never use `Insecure.MD5` or `Insecure.SHA1` for security purposes. ## Sibling Boundaries This skill owns client-side storage, cryptographic primitives, hardware-backed keys, and trust evaluation. Route adjacent work deliberately: - Use `authentication` for Sign in with Apple, passkeys, OAuth UI flows, `ASAuthorizationController`, credential state, and account sign-in UX. - Use `cryptokit` for general CryptoKit API usage when storage, keychain, Secure Enclave policy, certificate trust, or compliance review is not part of the task. - Use `device-integrity` for DeviceCheck and App Attest attestation/assertion flows. - Use `ios-networking` for URLSession, request pipelines, ATS configuration, retries, caching, reachability, and transport architecture. - Use `app-store-review` for privacy manifests, ATT, App Review guideline compliance, and submission readiness. This skill may mention those areas only to identify a security handoff. ## Review Checklist Use this checklist for code reviews and migration plans. Mark each item pass, fail, or not applicable; for each failure, cite the reference file and
Discover and configure Bluetooth and Wi-Fi accessories using AccessorySetupKit. Use when presenting a privacy-preserving accessory picker, defining discovery descriptors for BLE or Wi-Fi devices, handling accessory session events, migrating from CoreBluetooth permission-based scanning, or setting up accessories without requiring broad Bluetooth permissions.
Implement, review, or improve Live Activities and Dynamic Island experiences in iOS apps using ActivityKit. Use when building real-time updating widgets for the Lock Screen and Dynamic Island — delivery tracking, sports scores, ride-sharing status, workout timers, media playback, or any time-sensitive information that updates in real time. Also use when working with ActivityKit, ActivityAttributes, Activity lifecycle (request/update/end), Dynamic Island layouts (compact/minimal/expanded), push-to-update Live Activities, or Lock Screen live widgets.
Measure ad effectiveness with privacy-preserving attribution using AdAttributionKit. Use when registering ad impressions, handling attribution postbacks, updating conversion values, implementing re-engagement attribution, configuring publisher or advertiser apps, or replacing SKAdNetwork with AdAttributionKit for ad measurement.
Implement AlarmKit alarms and countdown timers for iOS and iPadOS with Lock Screen, Dynamic Island, StandBy, and paired Apple Watch system UI. Covers AlarmManager scheduling, AlarmAttributes and AlarmPresentation, AlarmButton stop and snooze actions, authorization, state observation, countdown widget-extension handoff, and Live Activity integration. Use when building wake-up alarms, countdown timers, or alarm-style alerts that need Apple's system alarm experience.
Build iOS App Clips with invocation URLs, App Clip Codes, NFC, QR codes, Safari banners, Maps, Messages, target setup, App Store Connect experiences, size/capability constraints, NSUserActivity routing, SKOverlay promotion, App Group/keychain handoff, ephemeral notifications, location confirmation, and full-app migration. Use when creating App Clips or wiring App Clip invocation, experience configuration, or full-app handoff.
Implement App Intents for Siri, Shortcuts, Spotlight, widgets, Control Center, and Apple Intelligence on iOS. Covers AppIntent actions, AppEntity and EntityQuery models, AppShortcutsProvider phrases, IndexedEntity Spotlight indexing, WidgetConfigurationIntent, SnippetIntent, and assistant schemas. Use when exposing app actions or entities to system surfaces.
Optimize App Store product pages for search visibility and conversion. Use for App Store Optimization (ASO), keyword research, app name/subtitle/keyword-field strategy, conversion-focused descriptions and promotional text, screenshot captions and ordering, Custom Product Pages with assigned search keywords, In-App Events, Product Page Optimization tests, localized metadata, ratings/review strategy, and in-app review prompt timing with RequestReviewAction or AppStore.requestReview. Also use when routing ASO vs App Store review, privacy/ATT, or StoreKit implementation boundaries.
Prepare for App Store review and prevent rejections. Covers App Store review guidelines, app rejection reasons, PrivacyInfo.xcprivacy privacy manifest requirements, required API reason codes, in-app purchase IAP and StoreKit rules, App Store Guidelines compliance, ATT App Tracking Transparency, EU DMA Digital Markets Act, HIG compliance checklist, app submission preparation, review preparation, metadata requirements, entitlements, widgets, and Live Activities review rules. Use when preparing for App Store submission, fixing rejection reasons, auditing privacy manifests, implementing ATT consent flow, configuring StoreKit IAP, or checking HIG compliance.