Engineering
owasp-mobile-security-checker avatar

owasp-mobile-security-checker

Automated security auditing for Flutter applications based on OWASP Mobile Top 10 (2024). Perform vulnerability scans for hardcoded secrets, insecure storage, dependency risks, and network configuration issues.

Introduction

The OWASP Mobile Security Checker is a specialized engineering tool designed for developers and security analysts working with the Flutter and Dart ecosystem. It automates the detection of common security vulnerabilities by implementing scanners that align with the OWASP Mobile Top 10 (2024) framework. The skill is intended for use during the development lifecycle, specifically for pre-release security gates, continuous integration security checks, and targeted vulnerability assessments. It provides actionable remediation advice to help teams harden their mobile applications against common threats.

  • Automated M1 scan detects hardcoded API keys, Firebase credentials, and AWS access tokens in source code.

  • M2 dependency analysis identifies outdated pubspec.yaml packages and insecure version constraints that lead to CVE exposure.

  • M5 network security auditing checks for cleartext HTTP traffic, missing SSL pinning, and insecure WebSocket implementations.

  • M9 storage analysis identifies unencrypted usage of SharedPreferences and insecure file storage patterns on Android and iOS.

  • Includes manual guidance for complex categories like M3 (Authentication), M4 (Input Validation), M6 (Privacy), M7 (Binary Protection), M8 (Misconfiguration), and M10 (Cryptography).

  • Provides severity-based prioritization for findings, distinguishing between CRITICAL, HIGH, MEDIUM, and LOW risks.

  • Operates by scanning files directly within the local project directory; requires Python 3.7+.

  • Generates structured JSON output files for each audit category, facilitating easy integration into CI/CD pipelines.

  • Not intended as a substitute for professional penetration testing or manual code review for complex logic vulnerabilities.

  • Best used in conjunction with standard code reviews; always verify scan results for false positives, such as development-only mock credentials or local testing endpoints.

  • The tool expects a standard Flutter project structure with a pubspec.yaml file and supports analysis across Android and iOS target configurations.

Repository Stats

Stars
44
Forks
5
Open Issues
0
Language
Python
Default Branch
main
Sync Status
Idle
Last Synced
May 3, 2026, 09:21 PM
View on GitHub