Skillquality 0.45

security

27 Android skills for AI agents (Claude Code, Codex, Cursor). Fixes Supabase auth, Hilt errors, design inconsistency, kapt→ksp, missing UiState states. Reduced my token bills 5×. FitGenZ AI shipped in 18 days.

Price

free

Protocol

skill

Verified

Endpoint

https://skills.sh/piyushverma0/android-agent-skills/security

What it does

Android Security

Rule 1: Never store secrets in source code or BuildConfig

// ❌ Never — committed to git, visible in APK
const val API_KEY = "sk-1234567890abcdef"
buildConfigField("String", "API_KEY", "\"sk-1234567890abcdef\"")

// ✅ Use local.properties (gitignored) + build script injection
// local.properties (never commit this file)
// API_KEY=sk-1234567890abcdef

// build.gradle.kts
val apiKey = gradleLocalProperties(rootDir, providers).getProperty("API_KEY") ?: ""
buildConfigField("String", "API_KEY", "\"$apiKey\"")

// ✅ Better: use server-side proxy — never expose API keys in app at all
// Client → Your backend → Third-party API

Rule 2: Encrypted storage for sensitive data

// ✅ EncryptedSharedPreferences for tokens, session data
class SecureStorageImpl @Inject constructor(
    @ApplicationContext context: Context
) : SecureStorage {
    private val masterKey = MasterKey.Builder(context)
        .setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
        .build()

    private val encryptedPrefs = EncryptedSharedPreferences.create(
        context,
        "secure_prefs",
        masterKey,
        EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
        EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM
    )

    override fun saveToken(token: String) {
        encryptedPrefs.edit().putString("auth_token", token).apply()
    }

    override fun getToken(): String? = encryptedPrefs.getString("auth_token", null)

    override fun clearAll() = encryptedPrefs.edit().clear().apply()
}

Rule 3: Network Security Config

<!-- res/xml/network_security_config.xml -->
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <!-- Block all cleartext traffic in production -->
    <base-config cleartextTrafficPermitted="false">
        <trust-anchors>
            <certificates src="system" />
        </trust-anchors>
    </base-config>

    <!-- Allow cleartext only for debug -->
    <debug-overrides>
        <trust-anchors>
            <certificates src="system" />
            <certificates src="user" />  <!-- allow Charles/mitmproxy in debug -->
        </trust-anchors>
    </debug-overrides>
</network-security-config>

<!-- AndroidManifest.xml -->
<application
    android:networkSecurityConfig="@xml/network_security_config"
    android:usesCleartextTraffic="false">

Rule 4: Certificate pinning

// ✅ OkHttp certificate pinning for high-security apps
val certificatePinner = CertificatePinner.Builder()
    .add("api.myapp.com", "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=")  // leaf
    .add("api.myapp.com", "sha256/BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=")  // backup
    .build()

OkHttpClient.Builder()
    .certificatePinner(certificatePinner)
    .build()

Rule 5: Prevent screenshots and screen recording

// ✅ Prevent screenshots on sensitive screens (banking, passwords)
@Composable
fun SecureScreen(content: @Composable () -> Unit) {
    val activity = LocalContext.current as? Activity
    DisposableEffect(Unit) {
        activity?.window?.addFlags(WindowManager.LayoutParams.FLAG_SECURE)
        onDispose {
            activity?.window?.clearFlags(WindowManager.LayoutParams.FLAG_SECURE)
        }
    }
    content()
}

Rule 6: Backup rules — exclude sensitive files

<!-- res/xml/backup_rules.xml -->
<?xml version="1.0" encoding="utf-8"?>
<full-backup-content>
    <exclude domain="sharedpref" path="secure_prefs.xml" />
    <exclude domain="database" path="app_database" />
    <exclude domain="file" path="." />
</full-backup-content>

<!-- AndroidManifest.xml -->
<application
    android:allowBackup="false"
    android:dataExtractionRules="@xml/backup_rules">

Common Mistakes

❌ Storing tokens in plain SharedPreferences — use EncryptedSharedPreferences ❌ API keys in BuildConfig — visible by decompiling APK ❌ android:allowBackup="true" without backup rules — sensitive DB backed up to Google ❌ android:usesCleartextTraffic="true" in production — all traffic unencrypted ❌ Logging tokens or PII in debug — Log.d("token", userToken) visible in logcat ❌ No root detection for banking/payment apps — use Play Integrity API

Capabilities

skillsource-piyushverma0skill-securitytopic-agent-skillstopic-ai-agenttopic-androidtopic-antigravitytopic-claude-codetopic-codextopic-cursortopic-gemini-clitopic-hilttopic-jetpack-composetopic-kotlintopic-material3

Install

Installnpx skills add piyushverma0/android-agent-skills

Sourcehttps://github.com/piyushverma0/android-agent-skills/tree/main/skills/security

skills.shhttps://skills.sh/piyushverma0/android-agent-skills/security

Transportskills-sh

Protocolskill

Quality

0.45/ 1.00

deterministic score 0.45 from registry signals: · indexed on github topic:agent-skills · 8 github stars · SKILL.md body (4,383 chars)

Provenance

Indexed fromgithub

Enriched2026-05-18 19:09:10Z · deterministic:skill-github:v1 · v1

First seen2026-05-18

Last seen2026-05-18

Agent access

JSONhttps://clawmart.sh/api/listings/7ytL77