android-security

Secure Data Encryption, Network Security, and Permissions on Android. Use when handling API keys, auth tokens, cleartext traffic, android:exported, EncryptedSharedPreferences, certificate pinning, or root detection — even if the user just asks 'is this secure'. (triggers: network_security_config.xml, AndroidManifest.xml, EncryptedSharedPreferences, cleartextTrafficPermitted, intent-filter, api key, token storage, certificate pinning, root detection, secure storage)

Quality

86%

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

Securityby

Passed

No known issues

Android Security Standards

Priority: P0 (CRITICAL)

Implementation Guidelines

Data Storage

Secrets: NEVER store API keys in code. Use EncryptedSharedPreferences for sensitive local data (Tokens).
Keystore: Use Android Keystore System for cryptographic keys.

Network

HTTPS: Enforce HTTPS via network_security_config.xml (cleartextTrafficPermitted="false").
Pinning: Consider Certificate Pinning for high-security apps.

Component Export

Exported: Explicitly set android:exported="false" for Activities/Receivers unless intended for external use.

Anti-Patterns

No Sensitive Logs: Strip logs in Release builds.
No Homebrew Root Detection: Use Play Integrity API instead.
No Raw URL String Concatenation: Use Uri.Builder or HttpUrl (OkHttp) to prevent parameter injection.

References

Setup Examples
[common/common-security-standards] — shared OWASP baselines
[android/android-legacy-security] — Intent, WebView, and FileProvider hardening

Repository: HoangNguyen0403/agent-skills-standard
Commit: 19a1140

Last updated: 3 days ago
Created: 3 days ago

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.