Agent-Skills.md

Agent Skills: Android Legacy Security Standards

Harden Intent handling, WebView configuration, and FileProvider access in Android apps. Use when securing Intent extras, configuring WebViews, or exposing files via FileProvider. (triggers: **/*Activity.kt, **/*WebView*.kt, AndroidManifest.xml, Intent, WebView, FileProvider, javaScriptEnabled)

UncategorizedID: hoangnguyen0403/agent-skills-standard/android-legacy-security

Author

hoangnguyen0403

hoangnguyen0403

https://github.com/hoangnguyen0403 View all skills

Repository

hoangnguyen0403/agent-skills-standard

HoangNguyen0403License: Apache-2.0

362103

Install this agent skill to your local

pnpm dlx add-skill https://github.com/HoangNguyen0403/agent-skills-standard/tree/HEAD/skills/android/android-legacy-security

Skill Files

Browse the full folder contents for android-legacy-security.

Loading file tree…

skills/android/android-legacy-security/SKILL.md

Skill Metadata

Name: android-legacy-security
Description: "Harden Intent handling, WebView configuration, and FileProvider access in Android apps. Use when securing Intent extras, configuring WebViews, or exposing files via FileProvider. (triggers: **/*Activity.kt, **/*WebView*.kt, AndroidManifest.xml, Intent, WebView, FileProvider, javaScriptEnabled)"

Android Legacy Security Standards

Priority: P0

1. Secure Intents and Components

Set android:exported="false" for all internal Activities/Services unless needed for deep links.
Verify resolveActivity before starting implicit intents.
Treat all incoming Intent extras as untrusted — validate all schema/data types.

See hardening examples for manifest and component restrictions.

2. Lock Down WebViews

Default to javaScriptEnabled = false. Use WebViewClient and WebChromeClient to restrict navigation.
Disable allowFileAccess and allowFileAccessFromFileURLs to prevent local file theft via XSS.
If using @JavascriptInterface (API 17+), strictly limit the exposed API surface.

See hardening examples for WebView lockdown patterns.

3. Protect Storage and Files

NEVER expose file:// URIs. Use FileProvider to generate content:// URIs with temporary permissions.
Use EncryptedSharedPreferences for auth tokens and PII. Never use MODE_WORLD_READABLE.
Use NetworkSecurityConfig to disable cleartextTrafficPermitted and implement certificate pinning.

Anti-Patterns

No Implicit Intents Internally: Use explicit intents with the component class name.
No MODE_WORLD_READABLE: Never use for SharedPreferences or files.

References

Hardening Examples