> flutter-security
Enforce OWASP Mobile security standards for Flutter apps. Use when storing data, making network calls, handling tokens/PII, or preparing a release build. (triggers: lib/infrastructure/**, pubspec.yaml, secure_storage, obfuscate, jailbreak, pinning, PII, OWASP)
curl "https://skillshub.wtf/HoangNguyen0403/agent-skills-standard/flutter-security?format=md"Mobile Security
Priority: P0 (CRITICAL)
OWASP-aligned mobile security and PII protection for Flutter.
Implementation Workflow
- Store secrets securely — Use
flutter_secure_storagefor tokens/PII. Never useshared_preferencesfor sensitive data. - Externalize secrets — Never store API keys in Dart code. Use
--dart-defineor.envfiles. - Obfuscate releases — Always build with
--obfuscateand--split-debug-info. This is a deterrent, not cryptographic protection; move sensitive logic to backend. - Pin certificates — For high-security apps, use
dio_certificate_pinningto prevent MITM attacks. - Detect jailbreak/root — Use
flutter_jailbreak_detectionfor financial/sensitive applications. - Mask PII — Redact sensitive data (email, phone) in all logs and analytics events.
Secure Storage & Release Build Examples
See implementation examples for secure storage usage and obfuscated release build commands.
Reference & Examples
For SSL Pinning and Secure Storage implementation details: See references/REFERENCE.md.
Anti-Patterns
- ❌
prefs.setString('auth_token', token)— tokens/PII must useflutter_secure_storage, never SharedPreferences - ❌
const apiKey = 'sk-…'hardcoded in Dart — store secrets via--dart-defineor a secure vault; never in source - ❌ Release build without
--obfuscate --split-debug-infoflags — unobfuscated binaries expose class/method names - ❌
print('User email: $email')— mask or omit PII in logs and analytics events entirely
Related Topics
common/security-standards | layer-based-clean-architecture | performance
> related_skills --same-repo
> common-store-changelog
Generate user-facing release notes for the Apple App Store and Google Play Store by collecting git history, triaging user-impacting changes, and drafting store-compliant changelogs. Enforces character limits (App Store ≤4000, Google Play ≤500), tone, and bullet format. Use when generating release notes, app store changelog, play store release, what's new, or version release notes for any mobile app. (triggers: generate changelog, app store notes, play store release, what's new, release notes, ve
> golang-tooling
Go developer toolchain — gopls LSP diagnostics, linting, formatting, and vet. Use when setting up Go tooling, running linters, or integrating gopls with Claude Code. (triggers: gopls, golangci-lint, golangci.yml, go vet, goimports, staticcheck, go tooling, go lint)
> common-ui-design
Design distinctive, production-grade frontend UI with bold aesthetic choices. Use when building web components, pages, interfaces, dashboards, or applications in any framework (React, Next.js, Angular, Vue, HTML/CSS). (triggers: build a page, create a component, design a dashboard, landing page, UI for, build a layout, make it look good, improve the design, build UI, create interface, design screen)
> common-owasp
OWASP Top 10 audit checklist for Web Applications (2021) and APIs (2023). Load during any security review, PR review, or codebase audit touching web, mobile backend, or API code. (triggers: security review, OWASP, broken access control, IDOR, BOLA, injection, broken auth, API review, authorization, access control)