krutikJain/android-security-best-practices
skills/android-security-best-practices/SKILL.md
Apply Android app security guidance around secrets, storage, network trust, exported components, and least privilege.
$ install --global
skillsauthnpx skillsauth add krutikJain/android-agent-skills android-security-best-practicesInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 25, 2026, 12:39 PM160.1s6 files scanned
SKILL.md
- name:
- android-security-best-practices
- description:
- Apply Android app security guidance around secrets, storage, network trust, exported components, and least privilege.
- version:
- 0.1.0
- category:
- quality-release
- tags:
- ["android", "security", "privacy", "hardening"]
- include:
- ["android security review", "secret handling android app", "exported component security android", "network security config android", "hardening android project"]
- exclude:
- ["compose animation only", "room index tuning", "play listing copy"]
- owners:
- ["@android-agent-skills/maintainers"]
- test_targets:
- ["examples/orbittasks-compose", "examples/orbittasks-xml", "benchmarks/triggers.jsonl"]
Android Security Best Practices
When To Use
- Use this skill when the request is about: android security review, secret handling android app, exported component security android.
- Primary outcome: Apply Android app security guidance around secrets, storage, network trust, exported components, and least privilege.
- Read
references/patterns.mdwhen you need the attack-surface checklist or the storage/network/component decision matrix. - Read
references/scenarios.mdfor manifest, backup, WebView, and release-hardening review paths. - Handoff skills when the scope expands:
android-modernization-upgradeandroid-ci-cd-release-playstore
Workflow
- Inventory the attack surface first: exported components, intent/deep link entry points, file sharing, WebView usage, local storage, logs, backups, and network trust config.
- Remove avoidable risk before hardening details: prefer platform pickers and choosers, internal storage, server-issued short-lived tokens, and least-privilege permissions instead of shipping broad access or long-lived secrets.
- Lock the remaining boundaries explicitly with
android:exported, component permissions,FileProvider,networkSecurityConfig, debug-only trust anchors, and immutablePendingIntents. - Review sensitive surfaces that often regress in Android apps: WebView JavaScript bridges, backup/data extraction rules, cleartext exceptions, log redaction, and same-developer IPC assumptions.
- Validate the release posture with reproducible checks, then document residual risks and whether backend enforcement or Play Integrity is advisory or blocking.
Guardrails
- Treat client-side secrets as recoverable by attackers; move trust decisions and privileged API access server-side whenever possible.
- Export components only when there is a real external caller, and permission-protect or signature-protect them when the contract is private.
- Use network security config to scope debug trust anchors or cleartext exceptions instead of broad manifest toggles.
- Redact logs, review backups, and keep sensitive data out of shared external storage by default.
Anti-Patterns
- Hiding API keys in resources, the NDK, or obfuscation and calling that secure.
- Leaving
android:exportedor intent filters ambiguous on launchable or IPC components. - Sharing files through raw file paths or overly broad storage permissions instead of
FileProviderand system surfaces. - Pinning certificates without an operational rotation story or fallback plan.
Review Focus
- Exported activities, services, receivers, and providers with clear ownership and caller expectations.
- Secrets, tokens, and backend trust assumptions.
- Network trust, debug overrides, cleartext usage, and certificate handling.
- File sharing, backups, logs, and user-data leakage paths.
- Abuse signals such as Play Integrity only as layered defense, never as the sole authorization model.
Examples
Happy path
- Scenario: Audit manifests and sharing surfaces for explicit exports, permissions, and
FileProviderusage. - Command:
rg -n "android:exported|android:permission|FileProvider|grantUriPermissions" examples
Edge case
- Scenario: Catch insecure backup or network defaults before a release candidate goes out.
- Command:
rg -n "networkSecurityConfig|usesCleartextTraffic|allowBackup|fullBackupContent|dataExtractionRules" examples
Failure recovery
- Scenario: Separate app hardening from modernization or release-pipeline requests.
- Command:
python3 scripts/eval_triggers.py --skill android-security-best-practices
Done Checklist
- Every externally reachable component has explicit exposure and caller constraints.
- Secrets, tokens, and trust decisions are not relying on obscurity in the client app.
- Network, backup, logging, and sharing behavior have explicit release-safe defaults.
- Residual risks and any backend dependencies are documented with clear follow-up work.
Official References
- https://developer.android.com/privacy-and-security/security-best-practices
- https://developer.android.com/privacy-and-security/security-tips
- https://developer.android.com/privacy-and-security/risks/unsafe-exported-components
- https://developer.android.com/privacy-and-security/risks/access-control-to-exported-components
- https://developer.android.com/privacy-and-security/security-config
- https://developer.android.com/privacy-and-security/minimize-permission-requests
- https://developer.android.com/google/play/integrity/overview
Related Skills
krutikJain/android-testing-ui
testing
VerifiedTrustedCommunity
Validate Android UI behavior with Compose UI tests, Espresso-style checks, screenshot assertions, and accessibility verification.
5SKILL.mdUpdated Apr 25, 2026
krutikJain/android-state-management
data-ai
VerifiedTrustedCommunity
Model screen state, events, reducers, and side effects for Android UIs with predictable lifecycle-aware ownership.
5SKILL.mdUpdated Apr 25, 2026
krutikJain/android-serialization-offline-sync
tools
VerifiedTrustedCommunity
Coordinate serialization, caching, conflict handling, and offline-first sync flows in Android apps.
5SKILL.mdUpdated Apr 25, 2026
krutikJain/android-rxjava-to-coroutines-migration
development
VerifiedTrustedCommunity
Migrate Android RxJava code to Kotlin coroutines and Flow with safe lifecycle-aware replacements.
5SKILL.mdUpdated Apr 25, 2026