hoangnguyen0403/android-legacy-security
skills/android/android-legacy-security/SKILL.md
Harden Intent handling, WebView configuration, and FileProvider access in Android apps. Use when securing Intent extras, configuring WebViews, or exposing files via FileProvider.
$ install --global
skillsauthnpx skillsauth add hoangnguyen0403/agent-skills-standard android-legacy-securityInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 24, 2026, 8:03 AM36.8s3 files scanned
SKILL.md
- name:
- android-legacy-security
- description:
- Harden Intent handling, WebView configuration, and FileProvider access in Android apps. Use when securing Intent extras, configuring WebViews, or exposing files via FileProvider.
Android Legacy Security Standards
Priority: P0
1. Secure Intents and Components
- Set
android:exported="false"for all internal Activities/Services unless needed for deep links. - Verify
resolveActivitybefore starting implicit intents. - Treat all incoming Intent extras as untrusted — validate all schema/data types.
See hardening examples for manifest and component restrictions.
2. Lock Down WebViews
- Default to
javaScriptEnabled = false. UseWebViewClientandWebChromeClientto restrict navigation. - Disable
allowFileAccessandallowFileAccessFromFileURLsto prevent local file theft via XSS. - If using
@JavascriptInterface(API 17+), strictly limit exposed API surface.
See hardening examples for WebView lockdown patterns.
3. Protect Storage and Files
- NEVER expose
file://URIs. UseFileProviderto generatecontent://URIs with temporary permissions. - Use
EncryptedSharedPreferencesfor auth tokens and PII. Never useMODE_WORLD_READABLE. - Use
NetworkSecurityConfigto disablecleartextTrafficPermittedand implement certificate pinning.
Anti-Patterns
- No Implicit Intents Internally: Use explicit intents with component class name.
- No MODE_WORLD_READABLE: Never use for SharedPreferences or files.
References
- Hardening Examples
Related Skills
hoangnguyen0403/common-software-requirements
development
VerifiedTrustedCommunity
Standardize SRS and FRS specifications for technical behavior, interfaces, data contracts, quality constraints, and verification mapping. Use when writing SRS, functional specification, system behavior requirements, API/data contracts, or non-functional thresholds.
503SKILL.mdUpdated May 23, 2026
hoangnguyen0403/common-business-requirements
development
VerifiedTrustedCommunity
Standardize BRD and BRD-lite discovery for business goals, stakeholder impact, current-to-future state, and measurable value outcomes. Use when creating BRD, business case, project justification, ROI narrative, or AS-IS to TO-BE scope.
503SKILL.mdUpdated May 23, 2026
hoangnguyen0403/common-tdd
development
VerifiedTrustedCommunity
Implements a strict Red-Green-Refactor loop to ensure zero production code is written without a prior failing test. Use when: creating new features, fixing bugs, or expanding test coverage.
503SKILL.mdUpdated May 10, 2026
hoangnguyen0403/common-product-requirements
testing
VerifiedTrustedCommunity
Standardize PRD discovery and drafting for product scope, user outcomes, requirement IDs, and acceptance criteria. Use when creating PRD, product requirements, feature specification, or acceptance criteria plan.
503SKILL.mdUpdated May 10, 2026