{"id":"14a9f759-051c-4be9-a37f-dc161a588611","shortId":"EcuHeT","kind":"skill","title":"android-security-best-practices","tagline":"Apply Android app security guidance around secrets, storage, network trust, exported components, and least privilege.","description":"# Android Security Best Practices\n\n## When To Use\n- Use this skill when the request is about: android security review, secret handling android app, exported component security android.\n- Primary outcome: Apply Android app security guidance around secrets, storage, network trust, exported components, and least privilege.\n- Read `references/patterns.md` when you need the attack-surface checklist or the storage/network/component decision matrix.\n- Read `references/scenarios.md` for manifest, backup, WebView, and release-hardening review paths.\n- Handoff skills when the scope expands:\n- `android-modernization-upgrade`\n- `android-ci-cd-release-playstore`\n\n## Workflow\n1. Inventory the attack surface first: exported components, intent/deep link entry points, file sharing, WebView usage, local storage, logs, backups, and network trust config.\n2. Remove avoidable risk before hardening details: prefer platform pickers and choosers, internal storage, server-issued short-lived tokens, and least-privilege permissions instead of shipping broad access or long-lived secrets.\n3. Lock the remaining boundaries explicitly with `android:exported`, component permissions, `FileProvider`, `networkSecurityConfig`, debug-only trust anchors, and immutable `PendingIntent`s.\n4. Review sensitive surfaces that often regress in Android apps: WebView JavaScript bridges, backup/data extraction rules, cleartext exceptions, log redaction, and same-developer IPC assumptions.\n5. Validate the release posture with reproducible checks, then document residual risks and whether backend enforcement or Play Integrity is advisory or blocking.\n\n## Guardrails\n- Treat client-side secrets as recoverable by attackers; move trust decisions and privileged API access server-side whenever possible.\n- Export components only when there is a real external caller, and permission-protect or signature-protect them when the contract is private.\n- Use network security config to scope debug trust anchors or cleartext exceptions instead of broad manifest toggles.\n- Redact logs, review backups, and keep sensitive data out of shared external storage by default.\n\n## Anti-Patterns\n- Hiding API keys in resources, the NDK, or obfuscation and calling that secure.\n- Leaving `android:exported` or intent filters ambiguous on launchable or IPC components.\n- Sharing files through raw file paths or overly broad storage permissions instead of `FileProvider` and system surfaces.\n- Pinning certificates without an operational rotation story or fallback plan.\n\n## Review Focus\n- Exported activities, services, receivers, and providers with clear ownership and caller expectations.\n- Secrets, tokens, and backend trust assumptions.\n- Network trust, debug overrides, cleartext usage, and certificate handling.\n- File sharing, backups, logs, and user-data leakage paths.\n- Abuse signals such as Play Integrity only as layered defense, never as the sole authorization model.\n\n## Examples\n### Happy path\n- Scenario: Audit manifests and sharing surfaces for explicit exports, permissions, and `FileProvider` usage.\n- Command: `rg -n \"android:exported|android:permission|FileProvider|grantUriPermissions\" examples`\n\n### Edge case\n- Scenario: Catch insecure backup or network defaults before a release candidate goes out.\n- Command: `rg -n \"networkSecurityConfig|usesCleartextTraffic|allowBackup|fullBackupContent|dataExtractionRules\" examples`\n\n### Failure recovery\n- Scenario: Separate app hardening from modernization or release-pipeline requests.\n- Command: `python3 scripts/eval_triggers.py --skill android-security-best-practices`\n\n## Done Checklist\n- Every externally reachable component has explicit exposure and caller constraints.\n- Secrets, tokens, and trust decisions are not relying on obscurity in the client app.\n- Network, backup, logging, and sharing behavior have explicit release-safe defaults.\n- Residual risks and any backend dependencies are documented with clear follow-up work.\n\n## Official References\n- [https://developer.android.com/privacy-and-security/security-best-practices](https://developer.android.com/privacy-and-security/security-best-practices)\n- [https://developer.android.com/privacy-and-security/security-tips](https://developer.android.com/privacy-and-security/security-tips)\n- [https://developer.android.com/privacy-and-security/risks/unsafe-exported-components](https://developer.android.com/privacy-and-security/risks/unsafe-exported-components)\n- [https://developer.android.com/privacy-and-security/risks/access-control-to-exported-components](https://developer.android.com/privacy-and-security/risks/access-control-to-exported-components)\n- [https://developer.android.com/privacy-and-security/security-config](https://developer.android.com/privacy-and-security/security-config)\n- [https://developer.android.com/privacy-and-security/minimize-permission-requests](https://developer.android.com/privacy-and-security/minimize-permission-requests)\n- [https://developer.android.com/google/play/integrity/overview](https://developer.android.com/google/play/integrity/overview)","tags":["android","security","best","practices","agent","skills","krutikjain","agent-skills","android-development","android-skills","androidx","claude-code"],"capabilities":["skill","source-krutikjain","skill-android-security-best-practices","topic-agent-skills","topic-android","topic-android-development","topic-android-skills","topic-androidx","topic-claude-code","topic-codex","topic-cursor","topic-jetpack-compose","topic-kotlin","topic-skills"],"categories":["android-agent-skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/krutikJain/android-agent-skills/android-security-best-practices","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add krutikJain/android-agent-skills","source_repo":"https://github.com/krutikJain/android-agent-skills","install_from":"skills.sh"}},"qualityScore":"0.454","qualityRationale":"deterministic score 0.45 from registry signals: · indexed on github topic:agent-skills · 8 github stars · SKILL.md body (5,069 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-18T19:13:28.827Z","embedding":null,"createdAt":"2026-05-18T13:20:51.757Z","updatedAt":"2026-05-18T19:13:28.827Z","lastSeenAt":"2026-05-18T19:13:28.827Z","tsv":"'/google/play/integrity/overview](https://developer.android.com/google/play/integrity/overview)':573 '/privacy-and-security/minimize-permission-requests](https://developer.android.com/privacy-and-security/minimize-permission-requests)':570 '/privacy-and-security/risks/access-control-to-exported-components](https://developer.android.com/privacy-and-security/risks/access-control-to-exported-components)':564 '/privacy-and-security/risks/unsafe-exported-components](https://developer.android.com/privacy-and-security/risks/unsafe-exported-components)':561 '/privacy-and-security/security-best-practices](https://developer.android.com/privacy-and-security/security-best-practices)':555 '/privacy-and-security/security-config](https://developer.android.com/privacy-and-security/security-config)':567 '/privacy-and-security/security-tips](https://developer.android.com/privacy-and-security/security-tips)':558 '1':108 '2':132 '3':168 '4':190 '5':216 'abus':411 'access':162,255 'activ':375 'advisori':236 'allowbackup':473 'ambigu':339 'anchor':185,293 'android':2,7,21,36,41,46,50,98,102,175,198,334,446,448,495 'android-ci-cd-release-playstor':101 'android-modernization-upgrad':97 'android-security-best-practic':1,494 'anti':318 'anti-pattern':317 'api':254,321 'app':8,42,51,199,481,524 'appli':6,49 'around':11,54 'assumpt':215,391 'attack':71,111,248 'attack-surfac':70 'audit':431 'author':425 'avoid':134 'backend':230,389,541 'backup':83,127,305,403,458,526 'backup/data':203 'behavior':530 'best':4,23,497 'block':238 'boundari':172 'bridg':202 'broad':161,299,353 'call':330 'caller':270,384,509 'candid':465 'case':454 'catch':456 'cd':104 'certif':363,399 'check':223 'checklist':73,500 'chooser':143 'ci':103 'clear':381,546 'cleartext':206,295,396 'client':242,523 'client-sid':241 'command':443,468,490 'compon':17,44,60,115,177,262,344,504 'config':131,288 'constraint':510 'contract':282 'data':309,408 'dataextractionrul':475 'debug':182,291,394 'debug-on':181 'decis':77,251,515 'default':316,461,536 'defens':420 'depend':542 'detail':138 'develop':213 'developer.android.com':554,557,560,563,566,569,572 'developer.android.com/google/play/integrity/overview](https://developer.android.com/google/play/integrity/overview)':571 'developer.android.com/privacy-and-security/minimize-permission-requests](https://developer.android.com/privacy-and-security/minimize-permission-requests)':568 'developer.android.com/privacy-and-security/risks/access-control-to-exported-components](https://developer.android.com/privacy-and-security/risks/access-control-to-exported-components)':562 'developer.android.com/privacy-and-security/risks/unsafe-exported-components](https://developer.android.com/privacy-and-security/risks/unsafe-exported-components)':559 'developer.android.com/privacy-and-security/security-best-practices](https://developer.android.com/privacy-and-security/security-best-practices)':553 'developer.android.com/privacy-and-security/security-config](https://developer.android.com/privacy-and-security/security-config)':565 'developer.android.com/privacy-and-security/security-tips](https://developer.android.com/privacy-and-security/security-tips)':556 'document':225,544 'done':499 'edg':453 'enforc':231 'entri':118 'everi':501 'exampl':427,452,476 'except':207,296 'expand':96 'expect':385 'explicit':173,437,506,532 'export':16,43,59,114,176,261,335,374,438,447 'exposur':507 'extern':269,313,502 'extract':204 'failur':477 'fallback':370 'file':120,346,349,401 'fileprovid':179,358,441,450 'filter':338 'first':113 'focus':373 'follow':548 'follow-up':547 'fullbackupcont':474 'goe':466 'granturipermiss':451 'guardrail':239 'guidanc':10,53 'handl':40,400 'handoff':91 'happi':428 'harden':88,137,482 'hide':320 'immut':187 'insecur':457 'instead':158,297,356 'integr':234,416 'intent':337 'intent/deep':116 'intern':144 'inventori':109 'ipc':214,343 'issu':148 'javascript':201 'keep':307 'key':322 'launchabl':341 'layer':419 'leakag':409 'least':19,62,155 'least-privileg':154 'leav':333 'link':117 'live':151,166 'local':124 'lock':169 'log':126,208,303,404,527 'long':165 'long-liv':164 'manifest':82,300,432 'matrix':78 'model':426 'modern':99,484 'move':249 'n':445,470 'ndk':326 'need':68 'network':14,57,129,286,392,460,525 'networksecurityconfig':180,471 'never':421 'obfusc':328 'obscur':520 'offici':551 'often':195 'oper':366 'outcom':48 'over':352 'overrid':395 'ownership':382 'path':90,350,410,429 'pattern':319 'pendingint':188 'permiss':157,178,273,355,439,449 'permission-protect':272 'picker':141 'pin':362 'pipelin':488 'plan':371 'platform':140 'play':233,415 'playstor':106 'point':119 'possibl':260 'postur':220 'practic':5,24,498 'prefer':139 'primari':47 'privat':284 'privileg':20,63,156,253 'protect':274,278 'provid':379 'python3':491 'raw':348 'reachabl':503 'read':64,79 'real':268 'receiv':377 'recover':246 'recoveri':478 'redact':209,302 'refer':552 'references/patterns.md':65 'references/scenarios.md':80 'regress':196 'releas':87,105,219,464,487,534 'release-harden':86 'release-pipelin':486 'release-saf':533 'reli':518 'remain':171 'remov':133 'reproduc':222 'request':33,489 'residu':226,537 'resourc':324 'review':38,89,191,304,372 'rg':444,469 'risk':135,227,538 'rotat':367 'rule':205 'safe':535 'same-develop':211 'scenario':430,455,479 'scope':95,290 'scripts/eval_triggers.py':492 'secret':12,39,55,167,244,386,511 'secur':3,9,22,37,45,52,287,332,496 'sensit':192,308 'separ':480 'server':147,257 'server-issu':146 'server-sid':256 'servic':376 'share':121,312,345,402,434,529 'ship':160 'short':150 'short-liv':149 'side':243,258 'signal':412 'signatur':277 'signature-protect':276 'skill':30,92,493 'skill-android-security-best-practices' 'sole':424 'source-krutikjain' 'storag':13,56,125,145,314,354 'storage/network/component':76 'stori':368 'surfac':72,112,193,361,435 'system':360 'toggl':301 'token':152,387,512 'topic-agent-skills' 'topic-android' 'topic-android-development' 'topic-android-skills' 'topic-androidx' 'topic-claude-code' 'topic-codex' 'topic-cursor' 'topic-jetpack-compose' 'topic-kotlin' 'topic-skills' 'treat':240 'trust':15,58,130,184,250,292,390,393,514 'upgrad':100 'usag':123,397,442 'use':27,28,285 'user':407 'user-data':406 'usescleartexttraff':472 'valid':217 'webview':84,122,200 'whenev':259 'whether':229 'without':364 'work':550 'workflow':107","prices":[{"id":"8f64ff2a-1756-4999-baf8-b7b060632ee7","listingId":"14a9f759-051c-4be9-a37f-dc161a588611","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"krutikJain","category":"android-agent-skills","install_from":"skills.sh"},"createdAt":"2026-05-18T13:20:51.757Z"}],"sources":[{"listingId":"14a9f759-051c-4be9-a37f-dc161a588611","source":"github","sourceId":"krutikJain/android-agent-skills/android-security-best-practices","sourceUrl":"https://github.com/krutikJain/android-agent-skills/tree/main/skills/android-security-best-practices","isPrimary":false,"firstSeenAt":"2026-05-18T13:20:51.757Z","lastSeenAt":"2026-05-18T19:13:28.827Z"}],"details":{"listingId":"14a9f759-051c-4be9-a37f-dc161a588611","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"krutikJain","slug":"android-security-best-practices","github":{"repo":"krutikJain/android-agent-skills","stars":8,"topics":["agent-skills","android","android-development","android-skills","androidx","claude-code","codex","cursor","jetpack-compose","kotlin","skills"],"license":"mit","html_url":"https://github.com/krutikJain/android-agent-skills","pushed_at":"2026-03-25T05:47:20Z","description":"Android skills repository for Kotlin, Compose, XML, testing, CI, release work, and legacy upgrades","skill_md_sha":"f4a36fb07e128f4feba96c2d24c6695b9eb33304","skill_md_path":"skills/android-security-best-practices/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/krutikJain/android-agent-skills/tree/main/skills/android-security-best-practices"},"layout":"multi","source":"github","category":"android-agent-skills","frontmatter":{"name":"android-security-best-practices","description":"Apply Android app security guidance around secrets, storage, network trust, exported components, and least privilege."},"skills_sh_url":"https://skills.sh/krutikJain/android-agent-skills/android-security-best-practices"},"updatedAt":"2026-05-18T19:13:28.827Z"}}