android-legacy-security

Harden Intent handling, WebView configuration, and FileProvider access in Android apps. Use when securing Intent extras, configuring WebViews, or exposing files via FileProvider. (triggers: **/*Activity.kt, **/*WebView*.kt, AndroidManifest.xml, Intent, WebView, FileProvider, javaScriptEnabled)

Quality

86%

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

Securityby

Passed

No known issues

Android Legacy Security Standards

Priority: P0

1. Secure Intents and Components

Set android:exported="false" for all internal Activities/Services unless needed for deep links.
Verify resolveActivity before starting implicit intents.
Treat all incoming Intent extras as untrusted — validate all schema/data types.

See hardening examples for manifest and component restrictions.

2. Lock Down WebViews

Default to javaScriptEnabled = false. Use WebViewClient and WebChromeClient to restrict navigation.
Disable allowFileAccess and allowFileAccessFromFileURLs to prevent local file theft via XSS.
If using @JavascriptInterface (API 17+), strictly limit exposed API surface.

See hardening examples for WebView lockdown patterns.

3. Protect Storage and Files

NEVER expose file:// URIs. Use FileProvider to generate content:// URIs with temporary permissions.
Use EncryptedSharedPreferences for auth tokens and PII. Never use MODE_WORLD_READABLE.
Use NetworkSecurityConfig to disable cleartextTrafficPermitted and implement certificate pinning.

Anti-Patterns

No Implicit Intents Internally: Use explicit intents with component class name.
No MODE_WORLD_READABLE: Never use for SharedPreferences or files.

References

Hardening Examples

Repository: HoangNguyen0403/agent-skills-standard
Commit: 19a1140

Last updated: 3 days ago
Created: 3 days ago

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.