Agent-Skills.md

Agent Skills: Android Security Standards

Secure Data Encryption, Network Security, and Permissions on Android. Use when handling API keys, auth tokens, cleartext traffic, android:exported, EncryptedSharedPreferences, certificate pinning, or root detection — even if the user just asks 'is this secure'. (triggers: network_security_config.xml, AndroidManifest.xml, EncryptedSharedPreferences, cleartextTrafficPermitted, intent-filter, api key, token storage, certificate pinning, root detection, secure storage)

UncategorizedID: hoangnguyen0403/agent-skills-standard/android-security

Repository

hoangnguyen0403/agent-skills-standard
HoangNguyen0403License: Apache-2.0
362103

Install this agent skill to your local

pnpm dlx add-skill https://github.com/HoangNguyen0403/agent-skills-standard/tree/HEAD/skills/android/android-security

Skill Files

Browse the full folder contents for android-security.

Download Skill

Loading file tree…

skills/android/android-security/SKILL.md

Skill Metadata

Name
android-security
Description
"Secure Data Encryption, Network Security, and Permissions on Android. Use when handling API keys, auth tokens, cleartext traffic, android:exported, EncryptedSharedPreferences, certificate pinning, or root detection — even if the user just asks 'is this secure'. (triggers: network_security_config.xml, AndroidManifest.xml, EncryptedSharedPreferences, cleartextTrafficPermitted, intent-filter, api key, token storage, certificate pinning, root detection, secure storage)"

Android Security Standards

Priority: P0 (CRITICAL)

Implementation Guidelines

Data Storage

  • Secrets: NEVER store API keys in code. Use EncryptedSharedPreferences for sensitive local data (Tokens).
  • Keystore: Use Android Keystore System for cryptographic keys.

Network

  • HTTPS: Enforce HTTPS via network_security_config.xml (cleartextTrafficPermitted="false").
  • Pinning: Consider Certificate Pinning for high-security apps.

Component Export

  • Exported: Explicitly set android:exported="false" for Activities/Receivers unless intended for external use.

Anti-Patterns

  • No Sensitive Logs: Strip logs in Release builds.
  • No Homebrew Root Detection: Use Play Integrity API instead.
  • No Raw URL String Concatenation: Use Uri.Builder or HttpUrl (OkHttp) to prevent parameter injection.

References

  • Setup Examples
  • [common/common-security-standards] — shared OWASP baselines
  • [android/android-legacy-security] — Intent, WebView, and FileProvider hardening