Android Security Standards Skill

Agent Skills: Android Security Standards

Secure Data Encryption, Network Security, and Permissions on Android. Use when handling API keys, auth tokens, cleartext traffic, android:exported, EncryptedSharedPreferences, certificate pinning, or root detection — even if the user just asks 'is this secure'. (triggers: network_security_config.xml, AndroidManifest.xml, EncryptedSharedPreferences, cleartextTrafficPermitted, intent-filter, api key, token storage, certificate pinning, root detection, secure storage)

UncategorizedID: hoangnguyen0403/agent-skills-standard/android-security

Android Security Standards

Priority: P0 (CRITICAL)

Implementation Guidelines

Data Storage

Secrets: NEVER store API keys in code. Use EncryptedSharedPreferences for sensitive local data (Tokens).
Keystore: Use Android Keystore System for cryptographic keys.

Network

HTTPS: Enforce HTTPS via network_security_config.xml (cleartextTrafficPermitted="false").
Pinning: Consider Certificate Pinning for high-security apps.

Component Export

Exported: Explicitly set android:exported="false" for Activities/Receivers unless intended for external use.

Anti-Patterns

No Sensitive Logs: Strip logs in Release builds.
No Homebrew Root Detection: Use Play Integrity API instead.
No Raw URL String Concatenation: Use Uri.Builder or HttpUrl (OkHttp) to prevent parameter injection.

References

Setup Examples
[common/common-security-standards] — shared OWASP baselines
[android/android-legacy-security] — Intent, WebView, and FileProvider hardening